mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-07-01 12:02:05 +00:00
fix(cron): log and redact on secrets-redaction failure
If redact_sensitive_text() raises or fails to import, stdout/stderr were silently left unredacted and could leak API keys or tokens into cron job delivery messages and logs. Replace bare with a warning log and replace both outputs with '[REDACTED - redaction failed]' to prevent leaks. Root cause: silent exception swallow in _run_job_script() Impact: potential secrets leak in cron job output delivery
This commit is contained in:
parent
d3d768efb9
commit
da4f15cddc
1 changed files with 4 additions and 2 deletions
|
|
@ -1648,8 +1648,10 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
|
|||
from agent.redact import redact_sensitive_text
|
||||
stdout = redact_sensitive_text(stdout)
|
||||
stderr = redact_sensitive_text(stderr)
|
||||
except Exception:
|
||||
pass
|
||||
except Exception as e:
|
||||
logger.warning("Failed to redact sensitive text from output: %s", e)
|
||||
stdout = "[REDACTED - redaction failed]"
|
||||
stderr = "[REDACTED - redaction failed]"
|
||||
|
||||
if result.returncode != 0:
|
||||
parts = [f"Script exited with code {result.returncode}"]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue