Security Issue
The model may suggest commands containing sensitive data learned from history:
- API keys:
export AWS_SECRET_ACCESS_KEY=AKIA...
- Passwords:
mysql -p'secretpassword'
- Tokens:
curl -H "Authorization: Bearer eyJ..."
- Private paths:
ssh user@internal-server.company.com
Proposed Solution
1. Training-time filtering
Filter sensitive patterns before training:
fn is_sensitive(cmd: &str) -> bool {
let patterns = [
r"(?i)(api[_-]?key|secret|token|password|passwd|pwd)\s*=",
r"(?i)bearer\s+[a-zA-Z0-9_-]+",
r"(?i)-p'[^']+'", // mysql -p'password'
r"(?i)authorization:\s*",
r"AKIA[0-9A-Z]{16}", // AWS access key
];
patterns.iter().any(|p| Regex::new(p).unwrap().is_match(cmd))
}2. Suggestion-time filtering
Double-check before returning suggestions:
fn suggest(prefix: &str) -> Option<String> {
let suggestion = model.predict(prefix)?;
if is_sensitive(&suggestion) {
return None;
}
Some(suggestion)
}3. User-configurable blocklist
# ~/.config/aprender-shell/config.toml
[security]
block_patterns = [
"internal\\.company\\.com",
"prod-database",
]4. Train command flag
aprender-shell train --filter-sensitive # Default: on
aprender-shell train --no-filter-sensitive # Opt-out
Priority
High - This is a data leak vector, especially for shared/exported models.
Related
- Affects
export/import commands - shared models could leak secrets
Security Issue
The model may suggest commands containing sensitive data learned from history:
export AWS_SECRET_ACCESS_KEY=AKIA...mysql -p'secretpassword'curl -H "Authorization: Bearer eyJ..."ssh user@internal-server.company.comProposed Solution
1. Training-time filtering
Filter sensitive patterns before training:
2. Suggestion-time filtering
Double-check before returning suggestions:
3. User-configurable blocklist
4. Train command flag
Priority
High - This is a data leak vector, especially for shared/exported models.
Related
export/importcommands - shared models could leak secrets