Yehowshua/ZIm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Redact command environment variables from log output (#32985)

Browse source 
Before/After (linebreaks added for readability)
```log 
# before
INFO  [project::context_server_store::extension]
loaded command for context server mcp-server-github:
Command { 
  command: "/Users/peter/Library/Application Support/Zed/extensions/work/mcp-server-github/github-mcp-server-v0.5.0/github-mcp-server", 
  args: ["stdio"], 
  env: [("GITHUB_PERSONAL_ACCESS_TOKEN", "gho_WOOOOOOOOOOOOOOO")] 
}

#after
INFO  [project::context_server_store::extension]
loaded command for context server mcp-server-github:
Command {
  command: "/Users/peter/Library/Application Support/Zed/extensions/work/mcp-server-github/github-mcp-server-v0.5.0/github-mcp-server",
  args: ["stdio"],
  env: [("GITHUB_PERSONAL_ACCESS_TOKEN", "[REDACTED]")]
}
```

Release Notes:

- Redact sensitive environment variables from MCP logs
This commit is contained in:
Peter Tripp 2025-06-21 11:19:23 -04:00 committed by GitHub
parent 76e3136369
commit a713c66a9d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
crates/util/src/redact.rs Normal file
View file

@ -0,0 +1,8 @@
/// Whether a given environment variable name should have its value redacted
pub fn should_redact(env_var_name: &str) -> bool {
const REDACTED_SUFFIXES: &[&str] =
&["KEY", "TOKEN", "PASSWORD", "SECRET", "PASS", "CREDENTIALS"];
REDACTED_SUFFIXES
.iter()
.any(|suffix| env_var_name.ends_with(suffix))
}

1
crates/util/src/util.rs
View file

@ -4,6 +4,7 @@ pub mod command;
pub mod fs;
pub mod markdown;
pub mod paths;
pub mod redact;
pub mod serde;
pub mod shell_env;
pub mod size;