security: stop writing API key into local_client.py#18
Merged
Conversation
Older versions regex-patched the live OpenHome API key directly into
~/.openhome/local/local_client.py as a Python string literal. The key
then persisted on disk in plaintext, would be swept into Time Machine
or any user-level backup, and could leak via casual `cat` or
file-sync tools (Dropbox/iCloud).
Fix:
- Pass OPENHOME_API_KEY to the spawned Python via env on the child
process only. Never write the key to disk.
- On `local start`, if an existing local_client.py still contains a
patched literal from a prior CLI version, scrub it back to
os.environ.get("OPENHOME_API_KEY", "") so the leaked-on-disk copy
is removed in-place.
- Users with an existing install should rotate their API key in the
OpenHome dashboard since the previous value lived in a plaintext
file. local_client.py must read the key from
os.environ["OPENHOME_API_KEY"].
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Security patch — stop writing API key into local_client.py on disk. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
openhome local startregex-patched the user's live OpenHome API key into~/.openhome/local/local_client.pyas a Python string literal. This left the key persisting on disk in plaintext, swept into backups (Time Machine / Dropbox / iCloud), and readable by any process running as the user.OPENHOME_API_KEYenv var to the spawned Python process instead — never written to disk.local start: if an existinglocal_client.pystill has a patched literal from an older CLI, replace it withos.environ.get("OPENHOME_API_KEY", "").User action required
~/.openhome/local/local_client.py(backups, sync folders, shared dev machines) has the previous value.local_client.pyto reados.environ["OPENHOME_API_KEY"]if it currently hardcodes one.Test plan
npm run buildpasses (pre-existing TS errors inassign.ts/client.tsare unrelated and unchanged in count)openhome local startwith no priorlocal_client.pyprints the manual download instructions (unchanged)local_client.pycontainingOPENHOME_API_KEY = "sk-...",openhome local startscrubs it back toos.environ.get(...)and prints the scrub noticeOPENHOME_API_KEYin its environment🤖 Generated with Claude Code