'Exposure of confidential secret or token Stripe restricted test key'
Description
The response body contains content that matches the pattern of a Stripe restricted test key was identified. Test restricted keys offer greater security by only allowing read or write access to specific API resources. A malicious actor with access to this key is limited by the scope defined and can only access test data. Exposing this value could allow attackers to gain access to all resources granted by this token.
Remediation
For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.
To rotate your Stripe restricted test key:
- Sign in to your Stripe account and access https://dashboard.stripe.com/apikeys
- Ensure "Test mode" is enabled by selecting the toggle in the top menu
- In the "Restricted keys" section, find the key that was identified and select the ellipsis in the right-hand side
- Select "Roll key..."
- In the "Roll API key" dialog, select an expiration date, for example "now"
- Select "Roll API Key"
For more information, please see Stripe's documentation on rotating API keys.
Details
| ID | Aggregated | CWE | Type | Risk |
|---|---|---|---|---|
| 798.178 | false | 798 | Passive | High |