Sanitize Discord error logs to prevent secret exposure #188

New Issue

jason.woltje · 2026-02-02T17:24:36Z

jason.woltje commented

2026-02-02 17:24:36 +00:00

Problem

Discord client errors are logged without sanitization, potentially exposing the bot token in error stack traces.

Location

apps/api/src/bridge/discord/discord.service.ts:82

this.client.on(Events.Error, (error) => {
  this.logger.error("Discord client error:", error);
  // ❌ Error might contain authentication token
});

Exposure Risks

Bot token in connection string errors
Channel IDs in error messages
User data in error context
System paths in stack traces
Configuration details

Impact

Bot token compromise → full Discord server takeover
Channel IDs exposed → unauthorized access
Privacy violation from logged user messages
System information disclosure

Acceptance Criteria

Create sanitizeDiscordError() utility
Redact tokens with regex pattern matching
Remove sensitive channel/guild IDs
Strip full stack traces from logs
Alert admins on critical Discord errors
Add tests for sanitization
Document sensitive data patterns

Implementation

this.client.on(Events.Error, (error) => {
  const sanitizedError = this.sanitizeDiscordError(error);
  this.logger.error("Discord client error:", sanitizedError);
  
  if (this.isCriticalDiscordError(error)) {
    this.notifyAdmins("Discord integration failure");
  }
});

private sanitizeDiscordError(error: Error): object {
  return {
    message: error.message.replace(
      /[\w-]{24}\.[\w-]{6}\.[\w-]{27}/g, 
      '[REDACTED_TOKEN]'
    ),
    name: error.name,
    // Omit stack and sensitive properties
  };
}

Testing

Test bot token redaction
Test channel ID removal
Verify critical errors trigger alerts
Check logs don't contain sensitive data

References

M4.2-Infrastructure verification report (2026-02-02)
Security review agent ID: a1b8b3f

## Problem Discord client errors are logged without sanitization, potentially exposing the bot token in error stack traces. ## Location apps/api/src/bridge/discord/discord.service.ts:82 ```typescript this.client.on(Events.Error, (error) => { this.logger.error("Discord client error:", error); // ❌ Error might contain authentication token }); ``` ## Exposure Risks 1. Bot token in connection string errors 2. Channel IDs in error messages 3. User data in error context 4. System paths in stack traces 5. Configuration details ## Impact - Bot token compromise → full Discord server takeover - Channel IDs exposed → unauthorized access - Privacy violation from logged user messages - System information disclosure ## Acceptance Criteria - [ ] Create sanitizeDiscordError() utility - [ ] Redact tokens with regex pattern matching - [ ] Remove sensitive channel/guild IDs - [ ] Strip full stack traces from logs - [ ] Alert admins on critical Discord errors - [ ] Add tests for sanitization - [ ] Document sensitive data patterns ## Implementation ```typescript this.client.on(Events.Error, (error) => { const sanitizedError = this.sanitizeDiscordError(error); this.logger.error("Discord client error:", sanitizedError); if (this.isCriticalDiscordError(error)) { this.notifyAdmins("Discord integration failure"); } }); private sanitizeDiscordError(error: Error): object { return { message: error.message.replace( /[\w-]{24}\.[\w-]{6}\.[\w-]{27}/g, '[REDACTED_TOKEN]' ), name: error.name, // Omit stack and sensitive properties }; } ``` ## Testing - [ ] Test bot token redaction - [ ] Test channel ID removal - [ ] Verify critical errors trigger alerts - [ ] Check logs don't contain sensitive data ## References M4.2-Infrastructure verification report (2026-02-02) Security review agent ID: a1b8b3f

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-02 17:24:36 +00:00

jason.woltje added the security api api p1 labels 2026-02-02 17:24:36 +00:00

jason.woltje closed this issue

2026-02-02 18:24:36 +00:00

jason.woltje referenced this issue from a commit

2026-02-02 19:00:53 +00:00

fix(#188): sanitize Discord error logs to prevent secret exposure

Sign in to join this conversation.

Branches Tags

main

fix/orchestrator-widget-endpoints

fix/dashboard-widget-mock-data

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#188