Summary
All three Apify API calls append the API token directly to the URL query string (?token=...), causing the secret token to appear in server access logs, HTTP library debug output, and any network monitoring tools.
Location
- File:
src/lib.rs
- Line(s): 198, 244–246, 280–282
Severity
High
Details
let url = format!("{}/acts/{}/runs?token={}", self.api_base, actor_id, api_key);Tokens in URL query strings are logged by web server access logs, HTTP library debug output, system-level network monitoring, and any proxies in the request path.
Suggested Fix
Use the Authorization header instead:
let resp = self.http
.post(&url_without_token)
.bearer_auth(api_key)
.json(input)
.send()
.await?;Remove ?token=... from all format strings.
Automated finding by repo-monitor
Summary
All three Apify API calls append the API token directly to the URL query string (
?token=...), causing the secret token to appear in server access logs, HTTP library debug output, and any network monitoring tools.Location
src/lib.rsSeverity
High
Details
Tokens in URL query strings are logged by web server access logs, HTTP library debug output, system-level network monitoring, and any proxies in the request path.
Suggested Fix
Use the
Authorizationheader instead:Remove
?token=...from all format strings.Automated finding by repo-monitor