Summary
At logging.level: debug, mcpproxy writes upstream server secrets in cleartext to main.log (and they persist on disk under ~/Library/Logs/mcpproxy/). Masking is applied inconsistently: one log line redacts the values while two others emit them in full.
Severity
Live credentials (Slack tokens, Jira/Confluence personal access tokens, any -e KEY=value passed to a docker-command server) end up in a plaintext logfile that survives restarts and would be included in any debug-log bundle a user attaches to a bug report.
Where
For a server whose command is docker run … -e TOKEN=…, env vars are injected as -e KEY=value and then logged:
- ✅ Masked —
core/connection_stdio.go:391 shellwrap: wrapping command with user login shell
- logs
wrapped_command with JIRA_PERSONAL_TOKEN=OTU***tC (good)
- ❌ Full cleartext —
core/connection.go Initialized stdio transport
final_args contains -e JIRA_PERSONAL_TOKEN=<full>, -e SLACK_MCP_XOXC_TOKEN=xoxc-<full>, -e SLACK_MCP_XOXD_TOKEN=xoxd-<full>
- ❌ Full cleartext —
transport/stdio.go:203 Process group configuration applied
args contains the same -e KEY=<full value> list
- ❌ Full cleartext —
core/connection.go Injected env vars into direct docker command
modified_args lists every -e KEY=<full value>
The earlier Injected env vars… / Initialized stdio transport / Process group configuration applied lines should reuse the same redaction the shellwrap line already applies.
Steps to reproduce
- Configure a docker-command upstream with secret env (e.g.
SLACK_MCP_XOXC_TOKEN, JIRA_PERSONAL_TOKEN), values resolved from keyring.
- Set
logging.level: debug, restart.
grep -E 'xoxc-|xoxd-|PERSONAL_TOKEN=' ~/Library/Logs/mcpproxy/main.log → full secrets present.
Expected
All log lines that render the spawned argv/env redact secret values (consistent with the shellwrap line). Consider redacting by env-var key name (anything resolved from keyring / matching known secret patterns) before logging argv at any level.
Environment
mcpproxy v0.41.0, macOS 26.5.1 (arm64). Observed while collecting debug diagnostics for #696.
Summary
At
logging.level: debug, mcpproxy writes upstream server secrets in cleartext tomain.log(and they persist on disk under~/Library/Logs/mcpproxy/). Masking is applied inconsistently: one log line redacts the values while two others emit them in full.Severity
Live credentials (Slack tokens, Jira/Confluence personal access tokens, any
-e KEY=valuepassed to adocker-command server) end up in a plaintext logfile that survives restarts and would be included in any debug-log bundle a user attaches to a bug report.Where
For a server whose command is
docker run … -e TOKEN=…, env vars are injected as-e KEY=valueand then logged:core/connection_stdio.go:391shellwrap: wrapping command with user login shellwrapped_commandwithJIRA_PERSONAL_TOKEN=OTU***tC(good)core/connection.goInitialized stdio transportfinal_argscontains-e JIRA_PERSONAL_TOKEN=<full>,-e SLACK_MCP_XOXC_TOKEN=xoxc-<full>,-e SLACK_MCP_XOXD_TOKEN=xoxd-<full>transport/stdio.go:203Process group configuration appliedargscontains the same-e KEY=<full value>listcore/connection.goInjected env vars into direct docker commandmodified_argslists every-e KEY=<full value>The earlier
Injected env vars…/Initialized stdio transport/Process group configuration appliedlines should reuse the same redaction theshellwrapline already applies.Steps to reproduce
SLACK_MCP_XOXC_TOKEN,JIRA_PERSONAL_TOKEN), values resolved from keyring.logging.level: debug, restart.grep -E 'xoxc-|xoxd-|PERSONAL_TOKEN=' ~/Library/Logs/mcpproxy/main.log→ full secrets present.Expected
All log lines that render the spawned argv/env redact secret values (consistent with the
shellwrapline). Consider redacting by env-var key name (anything resolved from keyring / matching known secret patterns) before logging argv at any level.Environment
mcpproxy v0.41.0, macOS 26.5.1 (arm64). Observed while collecting debug diagnostics for #696.