security(copilot): strip response body from validation exception messages

Aaronontheweb · Aaronontheweb · commit 25f6ec461b08 · 2026-05-20T16:38:30.000Z
The validation throws added in the previous fix included Truncate(body)
in the missing-token path. Even though the validation only runs on a
2xx response that nominally has no usable token, a pathological response
body could still contain a token-shaped substring. Exception messages
land in daemon.log and bug-report attachments — best practice is to
never include token-exchange response bodies in messages we don't
strictly need.

Endpoint URL + missing-field indicator is sufficient for diagnostics
without any risk of leaking a credential into logs. expires_at value
(integer, never a credential) remains in its message.

Found during a pre-merge security audit.
diff --git a/src/Netclaw.Providers/GitHubCopilot/CopilotTokenExchanger.cs b/src/Netclaw.Providers/GitHubCopilot/CopilotTokenExchanger.cs
@@ -118,11 +118,18 @@ private async Task<CachedToken> ExchangeAsync(string oauthToken, CancellationTok
         // Token=null/ExpiresAt=0 and we'd cache a useless Bearer. Validate
         // here so the failure surfaces at the exchange boundary, not later
         // when the chat call returns 401.
+        //
+        // We deliberately do NOT include the raw response body in these
+        // exception messages — even on validation failure, the body of a
+        // 200 response from /copilot_internal/v2/token may still contain a
+        // token-shaped string, and exception messages can land in logs or
+        // bug reports. The endpoint URL and the missing-field indicator
+        // are sufficient for diagnostics.
         if (string.IsNullOrWhiteSpace(parsed.Token))
         {
             throw new InvalidOperationException(
                 $"GitHub Copilot token exchange at {TokenEndpoint} returned a "
-                + $"payload with no 'token' field: {Truncate(body)}");
+                + "payload with no 'token' field.");
         }
 
         if (parsed.ExpiresAt <= 0)
