You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upstream LLM providers sometimes echo credential material inside error bodies (for example incorrect API key messages, bearer tokens, or JSON apiKey fields). This change redacts those patterns before Bifrost errors are returned, streamed to clients, or logged.
Changes
Add llm.SanitizeProviderError / SanitizeProviderErrorMessage with the same redaction approach used elsewhere for OpenAI-style errors (regex passes plus configured-key replacement, then non-printable character sanitization).
Apply sanitization to all Bifrost error paths: chat and Responses streaming, embeddings, transcription, and model listing.
Redact API keys and tokens from Bifrost error messages using shared llm
sanitization (ported from mattermost-plugin-agents OpenAI path).
Made-with: Cursor
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security Review: No Issues Found
This PR adds proper redaction of API keys and secrets from Bifrost provider error messages across all error surfaces (streaming, embeddings, transcription, model listing). The implementation is sound:
Regex patterns cover the major provider key formats (OpenAI, Anthropic, bearer tokens, JSON fields), plus a configured-key fallback.
regexp.QuoteMeta prevents regex injection from the configured key, and Go's RE2 engine prevents ReDoS.
All downstream code paths that consume these errors use .Error(), which returns the sanitized message.
The Unwrap() chain preserves the original error for errors.Is/errors.As compatibility — standard Go practice. No current code path traverses the error chain in a way that would expose unsanitized content.
No medium, high, or critical vulnerabilities identified.
Reviewing files that changed from the base of the PR and between 35dd39b and 9125387.
📒 Files selected for processing (1)
bifrost/bifrost.go
✅ Files skipped from review due to trivial changes (1)
bifrost/bifrost.go
📝 Walkthrough
Walkthrough
This PR adds provider-error sanitization utilities and integrates them into Bifrost components by storing API keys on provider structs and passing errors through llm.SanitizeProviderError(...) before emitting or returning them.
Changes
Cohort / File(s)
Summary
Bifrost core & streaming bifrost/bifrost.go
Added apiKey to LLM and updated streaming error emissions to wrap errors with llm.SanitizeProviderError(..., b.apiKey) before sending EventTypeError.
Embeddings provider bifrost/embeddings.go
EmbeddingProvider stores apiKey; embedding request failures are wrapped with llm.SanitizeProviderError before returning.
Model listing bifrost/models.go
FetchModels now wraps model-listing errors with llm.SanitizeProviderError(..., cfg.APIKey) instead of returning raw formatted errors.
Transcription bifrost/transcription.go
Transcriber stores apiKey; transcription request errors are sanitized via llm.SanitizeProviderError before being returned.
New sanitization module that redacts API keys, bearer headers, and non-printable chars; returns SanitizedProviderError when redaction occurs. Comprehensive tests added covering formats, edge cases, and error-wrapping behavior.
Sequence Diagram(s)
(Skipped — changes are primarily error sanitization plumbing and new utility, not a multi-actor control flow requiring sequence diagrams.)
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bifrost/bifrost.go`:
- Around line 36-37: The LLM struct currently stores only apiKey causing AWS
creds to be omitted from redaction; add a field like redactionSecrets []string
on the LLM/bifrost struct, populate it from cfg.APIKey, cfg.AWSAccessKeyID and
cfg.AWSSecretAccessKey when constructing the struct, and remove the single
apiKey-only usage, then update llm.SanitizeProviderError to accept variadic
secrets (...string) and change all call sites to pass b.redactionSecrets...
(e.g., where SanitizeProviderError(...) is invoked) so Bedrock/AWS credential
values are included in the redaction set.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
The reason will be displayed to describe this comment to others. Learn more.
⚠️ Potential issue | 🟠 Major
Don't drop Bedrock credentials from the redaction set.
LLM now retains only cfg.APIKey, but this config also accepts AWSAccessKeyID and AWSSecretAccessKey. Those never reach llm.SanitizeProviderError, so a Bedrock auth error that echoes either value will still leak it through the new streamed error paths. Please carry a full secret list here instead of a single API key.
🔐 Suggested direction
type LLM struct {
client *bifrostcore.Bifrost
provider schemas.ModelProvider
- apiKey string // used only to redact configured secrets from provider error surfaces+ redactionSecrets []string
defaultModel string
inputTokenLimit int
outputTokenLimit int
streamingTimeout time.Duration
@@
return &LLM{
client: client,
provider: cfg.Provider,
- apiKey: cfg.APIKey,+ redactionSecrets: []string{+ cfg.APIKey,+ cfg.AWSAccessKeyID,+ cfg.AWSSecretAccessKey,+ },
defaultModel: cfg.DefaultModel,
inputTokenLimit: cfg.InputTokenLimit,
Then widen the llm.SanitizeProviderError(...) helpers to accept ...string and pass b.redactionSecrets... at the call sites.
Also applies to: 200-200
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@bifrost/bifrost.go` around lines 36 - 37, The LLM struct currently stores
only apiKey causing AWS creds to be omitted from redaction; add a field like
redactionSecrets []string on the LLM/bifrost struct, populate it from
cfg.APIKey, cfg.AWSAccessKeyID and cfg.AWSSecretAccessKey when constructing the
struct, and remove the single apiKey-only usage, then update
llm.SanitizeProviderError to accept variadic secrets (...string) and change all
call sites to pass b.redactionSecrets... (e.g., where SanitizeProviderError(...)
is invoked) so Bedrock/AWS credential values are included in the redaction set.
The reason will be displayed to describe this comment to others. Learn more.
Security Review: No Issues Found
This PR adds proper redaction of API keys and secrets from Bifrost provider error messages across all error surfaces (streaming chat/responses, embeddings, transcription, model listing). The implementation is sound:
Regex injection safe: regexp.QuoteMeta is correctly used on the configured API key before building the replacement regex, preventing attacker-controlled keys from injecting regex patterns. Go's RE2 engine also prevents ReDoS.
All Bifrost error paths covered: Every bifrostErr.Error.Message site is now wrapped with SanitizeProviderError.
Unwrap() chain is safe: The SanitizedProviderError.Unwrap() returns the original unsanitized error, which is standard Go practice for errors.Is/errors.As compatibility. I verified that no downstream code in the repository traverses the error chain to extract .Error() from the unwrapped original — all consumers (streaming/streaming.go L465, llm/stream.go L84, api/api_llm_bridge.go L227) call .Error() on the top-level wrapper, which returns the sanitized message.
Pattern coverage: Regex patterns cover OpenAI keys (sk-*, sk-proj-*), Anthropic keys (sk-ant-*), Bearer authorization headers, JSON apiKey fields, and the "Incorrect API key provided" message format. The configured key fallback catch-all handles provider-specific key formats not matched by the static patterns.
Stored apiKey field: The field is unexported (lowercase), not serialized, and only used for redaction comparisons — no new exposure surface.
No medium, high, or critical vulnerabilities identified.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Summary
Upstream LLM providers sometimes echo credential material inside error bodies (for example incorrect API key messages, bearer tokens, or JSON
apiKeyfields). This change redacts those patterns before Bifrost errors are returned, streamed to clients, or logged.Changes
llm.SanitizeProviderError/SanitizeProviderErrorMessagewith the same redaction approach used elsewhere for OpenAI-style errors (regex passes plus configured-key replacement, then non-printable character sanitization).Ticket
https://mattermost.atlassian.net/browse/MM-67547
Summary by CodeRabbit
New Features
Bug Fixes
Tests