Skip to content

[Security] Redact cookies from debug logs#7531

Merged
gonzaloriestra merged 1 commit into
mainfrom
sentinel/redact-cookies-3070110335838284999
May 20, 2026
Merged

[Security] Redact cookies from debug logs#7531
gonzaloriestra merged 1 commit into
mainfrom
sentinel/redact-cookies-3070110335838284999

Conversation

@gonzaloriestra
Copy link
Copy Markdown
Contributor

@gonzaloriestra gonzaloriestra commented May 12, 2026
edited
Loading

WHY are these changes introduced?

Session identifiers and other sensitive data stored in Cookie and Set-Cookie headers were being leaked in debug logs when API requests failed or when debug logging was enabled. This poses a security risk as it could expose user sessions or other private information.

WHAT is this pull request doing?

This PR adds cookie to the list of redacted keywords in sanitizedHeadersOutput. This ensures that any header containing "cookie" (case-insensitive) is omitted from the sanitized headers output used for logging.

How to test your changes?

  1. Run a command that makes an API request with cookies (e.g., shopify theme console --verbose).
  2. Verify that any Cookie or Set-Cookie headers in the logged request/response headers are redacted.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch) and added a changeset with pnpm changeset add (Note: skip changeset as per standard Jules instructions unless explicitly asked, but I'll mark it as considered).

PR created automatically by Jules for task 3070110335838284999 started by @gonzaloriestra

@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 12, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label May 12, 2026
@gonzaloriestra gonzaloriestra temporarily deployed to breaking-change-approval May 12, 2026 00:16 — with GitHub Actions Inactive
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 26c3214 to 5f7f39b Compare May 12, 2026 09:42
@gonzaloriestra
Copy link
Copy Markdown
Contributor Author

gonzaloriestra commented May 12, 2026

/snapit

@gonzaloriestra gonzaloriestra temporarily deployed to breaking-change-approval May 12, 2026 09:44 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

🫰✨ Thanks @gonzaloriestra! Your snapshot has been published to npm.

Test the snapshot by installing your package globally:

pnpm i -g --@shopify:registry=https://registry.npmjs.org @shopify/cli@0.0.0-snapshot-20260512094319

Caution

After installing, validate the version by running shopify version in your terminal.
If the versions don't match, you might have multiple global instances installed.
Use which shopify to find out which one you are running and uninstall it.

@gonzaloriestra gonzaloriestra added the Jules Created by Jules label May 12, 2026
@gonzaloriestra gonzaloriestra marked this pull request as ready for review May 12, 2026 09:46
@gonzaloriestra gonzaloriestra requested a review from a team as a code owner May 12, 2026 09:46
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 5f7f39b to 5b76964 Compare May 12, 2026 11:34
craigmichaelmartin
craigmichaelmartin approved these changes May 19, 2026
View reviewed changes
Comment thread packages/cli-kit/src/private/node/api/headers.test.ts
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 5b76964 to 45c44bd Compare May 20, 2026 12:53
@gonzaloriestra gonzaloriestra enabled auto-merge May 20, 2026 13:10
@gonzaloriestra
[Security] Redact cookies from debug logs
59c4a8d 
Add 'cookie' to the list of redacted keywords in `sanitizedHeadersOutput` to prevent session data leakage in debug logs. Update tests to verify redaction.
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 45c44bd to 59c4a8d Compare May 20, 2026 13:17
@gonzaloriestra gonzaloriestra added this pull request to the merge queue May 20, 2026
Merged via the queue into main with commit 87660d4 May 20, 2026
26 of 28 checks passed
@gonzaloriestra gonzaloriestra deleted the sentinel/redact-cookies-3070110335838284999 branch May 20, 2026 13:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@craigmichaelmartin craigmichaelmartin craigmichaelmartin approved these changes

Assignees

No one assigned

Labels

Jules Created by Jules no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gonzaloriestra @craigmichaelmartin