From 8998000aec9e9acdd402bbc534f60ca52d9228a6 Mon Sep 17 00:00:00 2001 From: Derek Higgins Date: Fri, 5 Dec 2025 20:53:47 +0000 Subject: [PATCH] fix(security): redact JWT tokens in server logs (#4325) Add "token" to sensitive field patterns in redact_sensitive_fields() to prevent JWT tokens from being logged in plaintext. Previously only api_key, api_token, password, and secret were filtered. This prevents tokens like server.auth.provider_config.jwks.token from being exposed in server logs. Closes: #4324 Signed-off-by: Derek Higgins --- src/llama_stack/core/utils/config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/llama_stack/core/utils/config.py b/src/llama_stack/core/utils/config.py index dece52460..2f45d6d99 100644 --- a/src/llama_stack/core/utils/config.py +++ b/src/llama_stack/core/utils/config.py @@ -9,7 +9,7 @@ from typing import Any def redact_sensitive_fields(data: dict[str, Any]) -> dict[str, Any]: """Redact sensitive information from config before printing.""" - sensitive_patterns = ["api_key", "api_token", "password", "secret"] + sensitive_patterns = ["api_key", "api_token", "password", "secret", "token"] def _redact_value(v: Any) -> Any: if isinstance(v, dict):