🛡️ Sentinel: [HIGH] Prevent secret leakage in Telegram messages#51
🛡️ Sentinel: [HIGH] Prevent secret leakage in Telegram messages#51SuvenSeo wants to merge 1 commit into
Conversation
- Added `hasSensitiveContent` check to the Telegram `handleMessage` handler. - Prevents sensitive data like API keys and passwords from being persisted to `episodic_memory`. - Aligns Telegram message handling security with web chat. - Added security journal entry in `.jules/sentinel.md`. Co-authored-by: SuvenSeo <263689617+SuvenSeo@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR adds a sensitive-content guard to the Telegram message ingestion path so messages that appear to contain secrets are rejected before being persisted, aligning Telegram handling with the existing web chat protections. It also adds a short security-journal entry documenting the finding and prevention approach.
Changes:
- Add
hasSensitiveContentvalidation to the TelegramhandleMessageflow, logging an audit event and warning the user instead of persisting the message. - Initialize
.jules/sentinel.mdto document the security learning and prevention guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| frontend/src/lib/handlers/messageHandler.js | Reject Telegram messages containing sensitive-looking content before persistence; log an audit event and warn the user. |
| .jules/sentinel.md | Add a security journal entry documenting the issue, learning, and prevention guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| export async function handleMessage(chatId, text, messageId) { | ||
| await sendChatAction(chatId, 'typing'); | ||
|
|
||
| if (hasSensitiveContent(text)) { | ||
| await logAgentEvent({ | ||
| eventType: 'telegram_sensitive_message_rejected', | ||
| channel: 'telegram', | ||
| severity: 'warning', | ||
| message: 'Sensitive-looking message rejected before persistence.', | ||
| metadata: { length: text.length }, | ||
| telegramMessageId: messageId, | ||
| }); | ||
| await sendMessage(chatId, '⚠️ This message looks like it contains a password, token, or secret. SEOS will not process or store secrets in chat for your security. Use a password manager or the provider vault.'); | ||
| return; |
This PR addresses a security gap where Telegram messages containing sensitive information (such as API keys, tokens, or passwords) were being persisted to the database without validation. While the web chat interface already implemented this check, the Telegram handler was missing it.
I have updated the Telegram
handleMessagefunction to use the existinghasSensitiveContentutility. If sensitive content is detected, the message is rejected, a warning is sent to the user via Telegram, and the event is logged for audit purposes (without storing the sensitive data).Additionally, I have initialized a security journal at
.jules/sentinel.mdto track this learning and ensure future ingestion channels follow this pattern.Verification:
hasSensitiveContentcorrectly identifies secrets.frontendsuite pass.PR created automatically by Jules for task 15764462778246129647 started by @SuvenSeo