{"slug": "the-redis-url-that-leaked-its-own-password-into-ai-agent-context", "title": "The Redis URL That Leaked Its Own Password Into AI Agent Context", "summary": "A developer discovered a secret-detection bug in ContextOS, a context operating system for AI coding agents, that failed to redact Redis passwords from connection strings. The regex pattern required at least one character for the username segment, but Redis URIs like redis://:password@host have no username, causing the password to be passed unredacted to AI agents. The fix changed a quantifier from + to * and added regression tests to prevent recurrence.", "body_md": "*This is a submission for DEV's Summer Bug Smash: Clear the Lineup powered by Sentry.*\n\nContextOS is a context operating system for AI coding agents: it scans a repo, ranks the relevant files, and builds a context pack under a token budget for the agent to work from. Before anything goes into that pack, a secret detector redacts API keys, tokens, and credentials so agents never see live secrets, published on PyPI with 980+ automated tests and an 80% coverage gate.\n\nThe `database_url`\n\nsecret-detection pattern was supposed to catch connection strings like `postgres://user:password@host`\n\nand redact the password. It required at least one character for the username segment before it would match. That's fine for Postgres and MySQL, which always have a username. It's not fine for Redis, where the standard URI convention is `redis://:password@host`\n\n, no username at all, just a password. That empty-username shape silently failed the pattern's `[^:@/\\s]+`\n\nrequirement, so detection was skipped entirely. The password sailed straight into the context pack, unredacted, ready to be handed to an LLM agent.\n\nI found it while auditing detection coverage against real-world connection string formats rather than just the formats already covered by existing tests. The exact format Redis's own documentation recommends when only a password is configured didn't get caught.\n\nPR: Rohithmatham12/ContextOS#1\n\nBefore (username segment requires 1+ chars):\n\n```\nr\"(?i)(?P<key>(?:postgres(?:ql)?|mysql|mongodb(?:\\+srv)?|redis)\"\nr\"://[^:@/\\s]+:)\"\nr\"(?P<value>[^@\\s]{4,})\"\nr\"(?=@)\"\n```\n\nAfter (username segment allows 0+ chars):\n\n```\nr\"(?i)(?P<key>(?:postgres(?:ql)?|mysql|mongodb(?:\\+srv)?|redis)\"\nr\"://[^:@/\\s]*:)\"\nr\"(?P<value>[^@\\s]{4,})\"\nr\"(?=@)\"\n```\n\nBefore, this stayed exactly as-is, verbatim, in the context pack handed to the agent:\n\n```\nREDIS_URL=redis://:supersecretpass123@cache.internal:6379/0\n```\n\nAfter:\n\n```\nREDIS_URL=redis://:[REDACTED_DB_PASSWORD]@cache.internal:6379/0\n```\n\nOne character, `+`\n\nto `*`\n\n. That's the entire regex fix, but the real work was proving it was safe: I added two regression tests covering both detection and redaction for the empty-username case, then ran the full suite: 952 passed, 2 skipped, no regressions.\n\nThis isn't a cosmetic bug. ContextOS exists specifically to hand code to AI agents safely. A credential-detection gap in that exact pipeline defeats the entire point of the tool for any project using Redis, which is most projects doing caching or session storage. The fix closes the gap for every future scan, not just the one string I tested.\n\nThe bigger lesson: test coverage that only exercises the formats you thought to write tests for will always look complete. It wasn't a logic bug so much as a coverage gap disguised as a passing test suite. The fix that matters isn't just the regex change, it's making the URL-shape assumption (\"usernames are always present\") explicit in a code comment so the next person doesn't reintroduce it.", "url": "https://wpnews.pro/news/the-redis-url-that-leaked-its-own-password-into-ai-agent-context", "canonical_source": "https://dev.to/rohith_matam_be6aea5caf13/the-redis-url-that-leaked-its-own-password-into-ai-agent-context-5c6n", "published_at": "2026-07-16 16:50:56+00:00", "updated_at": "2026-07-16 17:33:49.520094+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools"], "entities": ["ContextOS", "Redis", "PyPI", "Rohithmatham12"], "alternates": {"html": "https://wpnews.pro/news/the-redis-url-that-leaked-its-own-password-into-ai-agent-context", "markdown": "https://wpnews.pro/news/the-redis-url-that-leaked-its-own-password-into-ai-agent-context.md", "text": "https://wpnews.pro/news/the-redis-url-that-leaked-its-own-password-into-ai-agent-context.txt", "jsonld": "https://wpnews.pro/news/the-redis-url-that-leaked-its-own-password-into-ai-agent-context.jsonld"}}