Summary
looks_secret_like() in rust/src/bundle.rs is the fail-closed backstop for apw doctor --bundle. Its generic high-entropy-token branch only flags a string when all of these hold:
token_like_chars && trimmed.len() >= 32
&& alphanumeric_count >= trimmed.len() - 4
&& digit_count >= 1This leaves real credential shapes unflagged:
- All-letter secrets — any token with no digits (
digit_count >= 1 fails). A 40-char base64/hex-ish secret consisting only of letters passes through.
- Short secrets — anything
< 32 chars (many API keys, PINs, short passwords, the password half of a basic-auth pair).
- Passphrases with spaces/punctuation —
token_like_chars requires the whole string be [A-Za-z0-9+/=_-], so a multi-word passphrase is never considered.
The vendor-prefix list (AKIA, ghp_, sk-, …) catches known formats, but the generic entropy branch is the catch-all and it has these gaps.
Why it matters
The bundle is designed to exclude credential files (config.json, credentials.json, broker.log), so this is defense-in-depth — but the manifest advertises a redaction guarantee and bundle.rs's own doc comment says any token-like match "aborts the bundle." A free-text field (e.g. an error/message string that happens to echo a secret, or a future field added to the doctor payload) could ship a credential the heuristic doesn't recognize.
Recommendation
- Add a Shannon-entropy check that does not require a digit and applies to shorter runs (e.g. flag >= ~3.5 bits/char over runs >= 20 chars).
- Drop the
digit_count >= 1 requirement, or make it one of several signals rather than mandatory.
- Consider allow-listing the exact set of fields permitted into the bundle instead of relying solely on value-shaped detection.
References
Severity: Low
Filed by an automated deep security review.
Summary
looks_secret_like()inrust/src/bundle.rsis the fail-closed backstop forapw doctor --bundle. Its generic high-entropy-token branch only flags a string when all of these hold:This leaves real credential shapes unflagged:
digit_count >= 1fails). A 40-char base64/hex-ish secret consisting only of letters passes through.< 32chars (many API keys, PINs, short passwords, thepasswordhalf of a basic-auth pair).token_like_charsrequires the whole string be[A-Za-z0-9+/=_-], so a multi-word passphrase is never considered.The vendor-prefix list (
AKIA,ghp_,sk-, …) catches known formats, but the generic entropy branch is the catch-all and it has these gaps.Why it matters
The bundle is designed to exclude credential files (config.json, credentials.json, broker.log), so this is defense-in-depth — but the manifest advertises a redaction guarantee and
bundle.rs's own doc comment says any token-like match "aborts the bundle." A free-text field (e.g. an error/messagestring that happens to echo a secret, or a future field added to the doctor payload) could ship a credential the heuristic doesn't recognize.Recommendation
digit_count >= 1requirement, or make it one of several signals rather than mandatory.References
rust/src/bundle.rs(looks_secret_like,audit_redaction)Severity: Low
Filed by an automated deep security review.