The problem described in the comment above isn't really a problem: you can only inject secrets into headers (like `X-Whatever-API-Key`); you can't inject it into the payload of a request, to, like, ask for an invoice to printed with the API key as an invoice ID.
But there are headers that can get reflected --- too many of them, in too many different environments, so we're just whitelisting which headers you can use on a per-secret basis.
The much, much better vulnerability is the byte-at-a-time attack Jann found. Also fixed! A great bug.
But there are headers that can get reflected --- too many of them, in too many different environments, so we're just whitelisting which headers you can use on a per-secret basis.
The much, much better vulnerability is the byte-at-a-time attack Jann found. Also fixed! A great bug.