Problem
The BlueBubbles plugin authenticates to BB Server by embedding the API password as a query-string parameter via buildBlueBubblesApiUrl({..., password}). This is done consistently across the plugin:
Aisle's security scan flags this as CWE-598 (sensitive data exposure in URL) because query-string credentials can be captured by:
- HTTP access logs on the BB Server, reverse proxies, load balancers
- Monitoring / tracing systems that record full URLs
- Error messages / stack traces that include the URL
Referer header propagation in some stacks
Scope
This is a cross-cutting plugin concern, not specific to any single code path. Fixing only one call site (e.g., catchup) would be inconsistent. The proper fix updates buildBlueBubblesApiUrl to stop emitting ?password=<secret> and instead:
- Use an
Authorization header (if BB Server supports Bearer <password> or equivalent auth scheme)
- OR move the password into a POST body field for endpoints that accept one
- OR at minimum, redact the password in any URL logging / error-path output and fail-closed on any HTTP redirect
Implementation direction
- Audit BB Server's API documentation to identify which auth schemes it supports besides
?password= (BB Server currently supports password query param as its primary auth mechanism per its docs; a header-based scheme would require an upstream PR to the BB Server itself OR a POST-body compromise for POST endpoints).
- If header auth isn't available upstream: at least add URL redaction in
blueBubblesFetchWithTimeout error paths and anywhere URLs get logged, and add a runtime check that rejects redirects.
- If header auth is available: add an opt-in config to
buildBlueBubblesApiUrl + update every call site under extensions/bluebubbles/src/.
Related
Problem
The BlueBubbles plugin authenticates to BB Server by embedding the API password as a query-string parameter via
buildBlueBubblesApiUrl({..., password}). This is done consistently across the plugin:extensions/bluebubbles/src/history.ts—/api/v1/chat/.../messages?password=...extensions/bluebubbles/src/probe.ts—/api/v1/server/info?password=...extensions/bluebubbles/src/send.ts—/api/v1/message/...?password=...extensions/bluebubbles/src/catchup.ts—/api/v1/message/query?password=...(recent, landed via feat(bluebubbles): replay missed webhook messages after gateway restart (#66721) #66857)Aisle's security scan flags this as CWE-598 (sensitive data exposure in URL) because query-string credentials can be captured by:
Refererheader propagation in some stacksScope
This is a cross-cutting plugin concern, not specific to any single code path. Fixing only one call site (e.g., catchup) would be inconsistent. The proper fix updates
buildBlueBubblesApiUrlto stop emitting?password=<secret>and instead:Authorizationheader (if BB Server supportsBearer <password>or equivalent auth scheme)Implementation direction
?password=(BB Server currently supportspasswordquery param as its primary auth mechanism per its docs; a header-based scheme would require an upstream PR to the BB Server itself OR a POST-body compromise for POST endpoints).blueBubblesFetchWithTimeouterror paths and anywhere URLs get logged, and add a runtime check that rejects redirects.buildBlueBubblesApiUrl+ update every call site underextensions/bluebubbles/src/.Related
extensions/bluebubbles/src/types.ts— wherebuildBlueBubblesApiUrlis defined