From 00ff97fb100d1ac75c3fe851235a43e35fe74e3e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 05:00:44 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20Information=20Leakage=20in=20Debug=20Endpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🚨 Severity: CRITICAL
💡 Vulnerability: The unauthenticated `/debug` endpoint was outputting `process.env.MONGODB_URI.substring(0, 60)`, intending to show a truncated preview of the string. However, since MongoDB URIs take the format `mongodb+srv://<username>:<password>@<cluster>.mongodb.net/...`, the first 60 characters usually include the entire username and plaintext password, leaking database credentials to the public.
🎯 Impact: Complete database compromise via exposed credentials.
🔧 Fix: Removed the `substring` logic and replaced it with a static "hidden for security" message.
✅ Verification: Ensure `/debug` no longer exposes any part of the `MONGODB_URI` string when the variable is set.

Co-authored-by: GerryK97 <210032986+GerryK97@users.noreply.github.com>
---
 .jules/sentinel.md     | 4 ++++
 src/app/debug/route.ts | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 00000000..9668f080
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-20 - MONGODB_URI Password Disclosure Risk via Partial String Masking
+**Vulnerability:** The public unauthenticated `/debug` endpoint was outputting `process.env.MONGODB_URI.substring(0, 60)`, intending to show a truncated preview of the string. However, since MongoDB URIs take the format `mongodb+srv://<username>:<password>@<cluster>.mongodb.net/...`, the first 60 characters usually include the entire username and plaintext password.
+**Learning:** Developers sometimes assume taking the beginning of a string is safe for logging, failing to consider the internal structure of the secret (like connection URIs) where the most sensitive data is at the very beginning.
+**Prevention:** Never use substring on connection strings or URLs to mask them. Either log a boolean (presence check) or use a dedicated parser to extract non-sensitive parts (like the host) if partial logging is truly needed.
diff --git a/src/app/debug/route.ts b/src/app/debug/route.ts
index 10a77d99..dfa30e63 100644
--- a/src/app/debug/route.ts
+++ b/src/app/debug/route.ts
@@ -17,7 +17,7 @@ export async function GET() {
 
     // Database
     MONGODB_URI: process.env.MONGODB_URI
-      ? `✅ SET (${process.env.MONGODB_URI.substring(0, 60)}...)`
+      ? '✅ SET (hidden for security)'
       : '❌ NOT SET',
 
     // Derived info