Potential fix for code scanning alert no. 124: Clear-text logging of sensitive information

[Jackson57279]

Potential fix for https://github.com/otdoges/zapdev/security/code-scanning/124

To fix the problem, we should avoid logging any part of the sensitive API keys. Instead, we can log whether the key is set or not, without revealing any portion of its value. This means updating the log statements in checkEnvironmentVariables so that they only indicate presence/absence of the keys, not their values or substrings. The changes are limited to the log statements on lines 292, 293, 306, and 307 in scripts/setup-env.js. No new imports or methods are required; only the log message format needs to be changed.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Chores
  • Updated environment setup logging to fully redact secret values, showing only whether each key is set or not.
  • Standardized runtime and per-file checks to avoid displaying any key fragments in console output.
  • No behavior changes to detection logic; only messaging adjusted for safer, cleaner logs.
  • Improves security and reduces noise for developers running setup locally and in CI.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Project	Deployment	Preview	Comments	Updated (UTC)
zapdev	✅ Ready	Preview	Comment	Aug 12, 2025 2:39pm

[coderabbitai]

Walkthrough

Redacts environment variable values from logs in scripts/setup-env.js. Runtime and per-file checks now report only “Set” or “Not set” for VITE_GROQ_API_KEY and VITE_E2B_API_KEY, removing truncated key snippets. No logic changes to key presence checks; only log messaging updated.

Changes

Cohort / File(s)	Summary of Changes
Env key logging redaction scripts/setup-env.js	Updated logging to omit key fragments for VITE_GROQ_API_KEY and VITE_E2B_API_KEY; now logs only Set/Not set in runtime and per-file reads. No changes to presence-check logic or exports.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

I tucked the keys where shadows play,
No peeks, no leaks, just “Set” today.
A twitch of whiskers, logs made neat—
Secrets safe beneath my feet.
Tap-tap hops, the console’s clean—
Carrots, code, and security keen.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e2a5b50 and 13b3060.

📒 Files selected for processing (1)

• scripts/setup-env.js (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,jsx}

📄 CodeRabbit Inference Engine (.cursor/rules/posthog-integration.mdc)

If using JavaScript, store flag names as strings to an object declared as a constant, to simulate an enum.

Files:

• scripts/setup-env.js

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/posthog-integration.mdc)

**/*.{js,jsx,ts,tsx}: Use a consistent naming convention for this storage. enum/const object members should be written UPPERCASE_WITH_UNDERSCORE.
If a custom property for a person or event is at any point referenced in two or more files or two or more callsites in the same file, use an enum or const object, as above in feature flags.

Files:

• scripts/setup-env.js

🧬 Code Graph Analysis (1)

scripts/setup-env.js (1)

setup-ai.js (2)

• groqKey (64-64)
• e2bKey (78-78)

🔇 Additional comments (3)

scripts/setup-env.js (3)

292-293: LGTM! Security improvement successfully implemented.

The logging changes correctly redact sensitive API key values while maintaining the functional information needed for debugging. The implementation properly uses ternary operators to display only "Set" or "Not set" status.

---

306-307: LGTM! Consistent redaction pattern applied.

The per-file environment variable checks now consistently redact sensitive values, matching the runtime check pattern. This ensures no API key fragments are exposed in logs across different logging contexts.

---

284-312: ✅ Sensitive data logging removal verified in scripts/setup-env.js

• Only status indicators (“Set”/“Not set”) are logged for VITE_GROQ_API_KEY and VITE_E2B_API_KEY.
• No direct interpolation or printing of secret values remains.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alert-autofix-124

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[claude]

Claude finished @otdoges's task —— View job

---

PR Review: Security Fix for Clear-text Logging ✅

Todo List:

• Read and analyze the modified file (scripts/setup-env.js)
• Review the specific security changes made
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security effectiveness
• Assess test coverage needs
• Provide comprehensive feedback

---

Summary

This PR effectively addresses code scanning alert #124 by removing the logging of sensitive API key substrings. The changes are focused, secure, and maintain the script's functionality.

✅ Code Quality & Best Practices

• Clean implementation: Simple, focused changes that directly address the security issue
• Maintains functionality: The script still provides useful feedback about key presence/absence
• Consistent pattern: All four log statements follow the same secure pattern
• Good error handling: Existing error handling and validation logic remains intact

✅ Security Assessment

• Primary vulnerability fixed: No longer logs key.substring(0, 8) which could expose sensitive data
• Follows security best practice: "Presence/absence" logging instead of partial key exposure
• No new vulnerabilities introduced: Changes are purely restrictive (removing sensitive data)
• Comprehensive coverage: Fixed all instances in the checkEnvironmentVariables function (lines 292, 293, 306, 307)

Before (vulnerable):

logInfo(`VITE_GROQ_API_KEY: ${groqKey ? `Set (${groqKey.substring(0, 8)}...)` : 'Not set'}`);

After (secure):

logInfo(`VITE_GROQ_API_KEY: ${groqKey ? 'Set' : 'Not set'}`);

✅ Performance Considerations

• Improved performance: Removes string operations (substring, template literal concatenation)
• Minimal impact: Changes are in a setup script, not production runtime code
• No new dependencies: Uses existing logging infrastructure

✅ Potential Issues Assessment

• No bugs introduced: Logic remains identical, only output format changed
• No breaking changes: Script still provides the same essential information
• User experience maintained: Developers can still verify if keys are configured

⚠️ Related Security Scan

I performed a codebase scan and found one additional substring usage in /home/runner/work/zapdev/zapdev/src/lib/sandbox.ts:96, but it's logging output data (not API keys), so it's not a security concern:

console.log('📄 Output:', result.stdout.substring(0, 200))

✅ Test Coverage

• Low risk change: Simple string replacement that maintains existing behavior
• Existing tests sufficient: The setup script's core validation logic is unchanged
• Manual verification: The script itself serves as a validation tool

Recommendation: ✅ APPROVE

This is an excellent security fix that:

• Directly addresses the identified vulnerability
• Maintains all functionality while improving security
• Follows security best practices for sensitive data logging
• Has minimal risk of introducing bugs or regressions

The implementation is clean, focused, and production-ready. No additional changes needed.

---

[Jackson57279]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.