Fix API key masking timing vulnerability in MCP setup generation #14701
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Apply ::add-mask:: immediately after API key generation for Safe Outputs, Safe Inputs, and MCP Gateway to prevent timing window where keys could be captured from logs. - Remove empty variable declarations before assignment - Move masking to occur immediately after openssl generation - Add comprehensive tests for immediate masking behavior Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
All tests pass. Security vulnerability fixed: - Safe Outputs API key masked immediately after generation - Safe Inputs API key masked immediately after generation - MCP Gateway API key masked immediately after generation - Comprehensive test coverage added - All 148 workflows recompiled successfully Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix timing vulnerability in API key generation
Fix API key masking timing vulnerability in MCP setup generation
Feb 10, 2026
Contributor
|
🧪 Smoke Project is now testing project operations... |
Contributor
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
Contributor
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Contributor
|
✅ Changeset Generator completed successfully! |
Contributor
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
Contributor
Agent Container Tool Check 🔧
Result: 11/12 tools available ❌ Status: FAIL - .NET runtime (dotnet) is not available in the container Note: Java version output appears incorrect (showing bash version). All other tools are present and functional.
|
Contributor
|
✅ Smoke Project completed successfully. All project operations validated. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR closes a secret-masking timing window in generated MCP setup shell snippets by moving ::add-mask:: to run immediately after API key generation (Safe Outputs, Safe Inputs, and MCP Gateway), reducing the chance of keys being exposed via logs/artifacts.
Changes:
- Reordered shell commands so API keys are masked immediately after generation (before any intermediate operations).
- Removed pre-declarations like
API_KEY=""/MCP_GATEWAY_API_KEY=""that created unnecessary unmasked windows. - Updated compiled workflow lockfiles to reflect the corrected ordering.
Reviewed changes
Copilot reviewed 151 out of 151 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/workflow-skill-extractor.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/workflow-normalizer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/workflow-health-manager.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/workflow-generator.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/weekly-issue-summary.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/video-analyzer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/unbloat-docs.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/ubuntu-image-analyzer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/typist.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/tidy.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/test-workflow.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/test-project-url-default.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/test-dispatcher.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/test-create-pr-error-handling.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/terminal-stylist.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/technical-doc-writer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/super-linter.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/sub-issue-closer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/step-name-alignment.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/static-analysis-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/stale-repo-identifier.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/smoke-test-tools.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/smoke-project.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/slide-deck-maintainer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/sergo.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/semantic-function-refactor.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/security-review.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/security-guard.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/security-compliance.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/scout.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/schema-consistency-checker.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/safe-output-health.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/research.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/repository-quality-improver.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/repo-tree-map.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/repo-audit-analyzer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/release.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/q.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/python-data-charts.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/prompt-clustering-analysis.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/pr-triage-agent.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/portfolio-analyst.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/plan.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/pdf-summary.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/org-health-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/metrics-collector.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/mergefest.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/lockfile-stats.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/layout-spec-maintainer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/jsweep.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/issue-triage-agent.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/issue-monster.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/issue-classifier.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/issue-arborist.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/instructions-janitor.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/hourly-ci-cleaner.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/grumpy-reviewer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/go-pattern-detector.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/go-fan.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/glossary-maintainer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/github-mcp-tools-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/functional-pragmatist.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/firewall.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/firewall-escape.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/example-workflow-analyzer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/example-permissions-warning.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/example-custom-error-patterns.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/duplicate-code-detector.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/draft-pr-cleanup.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/docs-noob-tester.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/discussion-task-miner.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dictation-prompt.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dev.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dev-hawk.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dependabot-project-manager.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dependabot-go-checker.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/dependabot-burner.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/delight.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/deep-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-workflow-updater.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-team-status.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-syntax-error-quality.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-semgrep-scan.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-secrets-analysis.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-safe-output-optimizer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-news.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-issues-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-firewall-report.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-file-diet.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-fact.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-doc-updater.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-compiler-quality.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-code-metrics.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/daily-choice-test.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/craft.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/copilot-session-insights.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/copilot-agent-analysis.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/codex-github-remote-mcp-test.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/code-simplifier.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/code-scanning-fixer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/cloclo.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/cli-version-checker.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/ci-doctor.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/ci-coach.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/chroma-issue-indexer.lock.yml | Masks MCP Gateway API key immediately after generation. |
| .github/workflows/changeset.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/brave.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/blog-auditor.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/audit-workflows.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/artifacts-summary.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/archie.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/ai-moderator.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
| .github/workflows/agent-performance-analyzer.lock.yml | Masks Safe Outputs + MCP Gateway API keys immediately after generation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
Smoke test results (Codex)
|
This was referenced Feb 10, 2026
Contributor
Smoke Test Results ✅
Status: PASS ✅ cc: @pelikhan
|
Contributor
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Contributor
🔍 PR Triage ResultsCategory: bug | Risk: high | Priority: 82/100 Scores Breakdown
📋 Recommended Action: FAST_TRACK🔥 SECURITY-CRITICAL: This PR addresses an API key masking timing vulnerability in MCP setup generation. Ensures API keys are masked immediately after generation before any other operations (PORT assignment, exports, etc.). Impact: High-priority security fix affecting 100 workflow files. Prevents timing attacks where API keys could be exposed in logs between generation and masking. Next Steps:
Triaged by PR Triage Agent on 2026-02-10 00:45 UTC
|
This was referenced Feb 10, 2026
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
API keys for Safe Outputs, Safe Inputs, and MCP Gateway were masked after intermediate operations, creating a timing window where keys could leak into logs or artifacts between generation and masking.
Changes
Moved
::add-mask::to execute immediately after key generation:Before:
After:
Test coverage:
mcp_api_key_masking_test.gowith 4 tests validating immediate masking behavior across all three generation sites💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
Changeset