core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(security): move Gemini API key from URL query params to header (#47)

Browse source 
Pass the API key via x-goog-api-key HTTP header instead of the URL
query parameter to prevent credential leakage in proxy logs, web
server access logs, and monitoring systems.

Resolves: #47 (CVSS 5.3, OWASP A09:2021)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Claude 2026-02-12 20:29:09 +00:00 committed by Snider
parent 794cff9409
commit 68065df140
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
pkg/ratelimit/ratelimit.go
View file

@ -343,7 +343,7 @@ func (rl *RateLimiter) AllStats() map[string]ModelStats {
// CountTokens calls the Google API to count tokens for a prompt.
func CountTokens(apiKey, model, text string) (int, error) {
url := fmt.Sprintf("https://generativelanguage.googleapis.com/v1beta/models/%s:countTokens?key=%s", model, apiKey)
url := fmt.Sprintf("https://generativelanguage.googleapis.com/v1beta/models/%s:countTokens", model)
reqBody := map[string]any{
"contents": []any{
@ -360,7 +360,14 @@ func CountTokens(apiKey, model, text string) (int, error) {
return 0, err
}
resp, err := http.Post(url, "application/json", bytes.NewBuffer(jsonBody))
req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(jsonBody))
if err != nil {
return 0, err
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("x-goog-api-key", apiKey)
resp, err := http.DefaultClient.Do(req)
if err != nil {
return 0, err
}