From f8b80c0bc8b429b8bc8214de1dfbec14beb38563 Mon Sep 17 00:00:00 2001
From: badMade <106821302+badMade@users.noreply.github.com>
Date: Sat, 23 May 2026 09:53:11 +0000
Subject: [PATCH] Fix sensitive data leak in HTTP client error logging

Modifies `console.error` statements in the HTTP client and proxy to log
safe properties (message, name, status) instead of full Axios/HTTP error
objects. This prevents sensitive information like `Authorization` headers
or API keys embedded in the request configuration from being leaked to
logs.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
---
 src/openapi-mcp-server/client/http-client.ts |  7 ++++++-
 src/openapi-mcp-server/mcp/proxy.ts          | 14 +++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/openapi-mcp-server/client/http-client.ts b/src/openapi-mcp-server/client/http-client.ts
index 58bf803b..ce0bdbd2 100644
--- a/src/openapi-mcp-server/client/http-client.ts
+++ b/src/openapi-mcp-server/client/http-client.ts
@@ -177,7 +177,12 @@ export class HttpClient {
       }
     } catch (error: any) {
       if (error.response) {
-        console.error('Error in http client', error)
+        // Log safe properties instead of full error to prevent leaking secrets in config/headers
+        console.error('Error in http client', {
+          message: error.message,
+          name: error.name,
+          status: error.response?.status,
+        })
         const headers = new Headers()
         Object.entries(error.response.headers).forEach(([key, value]) => {
           if (value) headers.append(key, value.toString())
diff --git a/src/openapi-mcp-server/mcp/proxy.ts b/src/openapi-mcp-server/mcp/proxy.ts
index 60269664..fbeee953 100644
--- a/src/openapi-mcp-server/mcp/proxy.ts
+++ b/src/openapi-mcp-server/mcp/proxy.ts
@@ -97,10 +97,18 @@ export class MCPProxy {
             },
           ],
         }
-      } catch (error) {
-        console.error('Error in tool call', error)
+      } catch (error: any) {
+        // Log safe properties instead of full error to prevent leaking secrets in config/headers
+        console.error('Error in tool call', {
+          message: error.message,
+          name: error.name,
+          status: error.response?.status || (error instanceof HttpClientError ? error.status : undefined),
+        })
         if (error instanceof HttpClientError) {
-          console.error('HttpClientError encountered, returning structured error', error)
+          console.error('HttpClientError encountered, returning structured error', {
+            message: error.message,
+            status: error.status,
+          })
           const data = error.data?.response?.data ?? error.data ?? {}
           return {
             content: [