Skip to content

🔴 Security: TOML injection in save_api_key() #69

Description

@ajianaz

Description

save_api_key() in src/config/loader.rs:390 writes the API key using string interpolation:

format!("api_key = "{}"\n", key)

If the key value contains a " character, this produces invalid TOML or allows injection of additional key-value pairs. The migration code at lines 170-172 correctly uses toml::Tablesave_api_key() should match.

Impact

  • API key containing " could corrupt auth file
  • Inconsistent with migration code pattern
  • Defensive coding issue (unlikely for real API keys but still a vulnerability)

Suggested Fix

Use toml::Table serialization:

let mut table = toml::Table::new();
table.insert("api_key".to_string(), toml::Value::String(key.to_string()));
let content = table.to_string();

References

Found via code audit. Full report: commit SHA on develop.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions