fix: Add validation format check for SDK key

devin-ai-integration[bot] · jsonbailey · devin-ai-integration[bot] · commit 133b3db81188 · 2025-09-29T13:55:31.000Z
- Add validate_sdk_key function to prevent logging invalid SDK keys
- Validate SDK key format in Config constructor
- Add comprehensive tests for SDK key validation
- Follow existing validation patterns in codebase

Prevents logging of invalid SDK keys by validating that they contain
only visible ASCII characters suitable for HTTP headers. Invalid keys
trigger a ValueError with a generic message that doesn't expose the
actual key value.

Co-Authored-By: jbailey@launchdarkly.com &lt;accounts@sidewaysgravity.com&gt;
diff --git a/ldclient/config.py b/ldclient/config.py
@@ -9,7 +9,7 @@
 
 from ldclient.feature_store import InMemoryFeatureStore
 from ldclient.hook import Hook
-from ldclient.impl.util import log, validate_application_info
+from ldclient.impl.util import log, validate_application_info, validate_sdk_key
 from ldclient.interfaces import (
     BigSegmentStore,
     DataSourceUpdateSink,
@@ -261,6 +261,9 @@ def __init__(
         :param omit_anonymous_contexts: Sets whether anonymous contexts should be omitted from index and identify events.
         :param payload_filter_key: The payload filter is used to selectively limited the flags and segments delivered in the data source payload.
         """
+        if sdk_key and not validate_sdk_key(sdk_key, log):
+            raise ValueError("SDK key contains invalid characters")
+        
         self.__sdk_key = sdk_key
 
         self.__base_uri = base_uri.rstrip('/')
@@ -542,8 +545,8 @@ def data_source_update_sink(self) -> Optional[DataSourceUpdateSink]:
         return self._data_source_update_sink
 
     def _validate(self):
-        if self.offline is False and self.sdk_key is None or self.sdk_key == '':
-            log.warning("Missing or blank sdk_key.")
+        if self.offline is False and (self.sdk_key is None or self.sdk_key == ''):
+            log.warning("Missing or blank SDK key")
 
 
 __all__ = ['Config', 'BigSegmentsConfig', 'HTTPConfig']
diff --git a/ldclient/impl/util.py b/ldclient/impl/util.py
@@ -53,6 +53,25 @@ def validate_application_value(value: Any, name: str, logger: logging.Logger) ->
     return value
 
 
+def validate_sdk_key(sdk_key: str, logger: logging.Logger) -> bool:
+    """
+    Validate that an SDK key contains only characters that are valid for HTTP headers.
+    Returns True if valid, False if invalid. Logs a generic error message for invalid keys.
+    """
+    if not isinstance(sdk_key, str):
+        logger.warning("SDK key must be a string")
+        return False
+    
+    if sdk_key == '':
+        return True  # Empty keys are handled separately in _validate()
+    
+    if re.search(r"[^\x21-\x7E]", sdk_key):
+        logger.warning("SDK key contains invalid characters")
+        return False
+    
+    return True
+
+
 def _headers(config):
     base_headers = _base_headers(config)
     base_headers.update({'Content-Type': "application/json"})
diff --git a/ldclient/testing/impl/test_util.py b/ldclient/testing/impl/test_util.py
@@ -0,0 +1,51 @@
+import logging
+from unittest.mock import Mock
+from ldclient.impl.util import validate_sdk_key
+
+
+def test_validate_sdk_key_valid():
+    """Test validation of valid SDK keys"""
+    logger = Mock(spec=logging.Logger)
+    
+    valid_keys = [
+        "sdk-12345678-1234-1234-1234-123456789012",
+        "valid-sdk-key-123",
+        "VALID_SDK_KEY_456"
+    ]
+    
+    for key in valid_keys:
+        assert validate_sdk_key(key, logger) is True
+        logger.warning.assert_not_called()
+        logger.reset_mock()
+
+
+def test_validate_sdk_key_invalid():
+    """Test validation of invalid SDK keys"""
+    logger = Mock(spec=logging.Logger)
+    
+    invalid_keys = [
+        "sdk-key-with-\x00-null",
+        "sdk-key-with-\n-newline", 
+        "sdk-key-with-\t-tab"
+    ]
+    
+    for key in invalid_keys:
+        assert validate_sdk_key(key, logger) is False
+        logger.warning.assert_called_with("SDK key contains invalid characters")
+        logger.reset_mock()
+
+
+def test_validate_sdk_key_non_string():
+    """Test validation of non-string SDK keys"""
+    logger = Mock(spec=logging.Logger)
+    
+    assert validate_sdk_key("123", logger) is True
+    logger.warning.assert_not_called()
+
+
+def test_validate_sdk_key_empty():
+    """Test validation of empty SDK keys"""
+    logger = Mock(spec=logging.Logger)
+    
+    assert validate_sdk_key("", logger) is True
+    logger.warning.assert_not_called()
diff --git a/ldclient/testing/test_config.py b/ldclient/testing/test_config.py
@@ -45,6 +45,39 @@ def test_trims_trailing_slashes_on_uris():
     assert config.stream_base_uri == "https://blog.launchdarkly.com"
 
 
+def test_sdk_key_validation_valid_keys():
+    """Test that valid SDK keys are accepted"""
+    valid_keys = [
+        "sdk-12345678-1234-1234-1234-123456789012",
+        "valid-sdk-key-123",
+        "VALID_SDK_KEY_456"
+    ]
+    
+    for key in valid_keys:
+        config = Config(sdk_key=key)
+        assert config.sdk_key == key
+
+
+def test_sdk_key_validation_invalid_keys():
+    """Test that invalid SDK keys are rejected"""
+    invalid_keys = [
+        "sdk-key-with-\x00-null",
+        "sdk-key-with-\n-newline",
+        "sdk-key-with-\t-tab",
+        "sdk-key-with-\x7F-del"
+    ]
+    
+    for key in invalid_keys:
+        with pytest.raises(ValueError, match="SDK key contains invalid characters"):
+            Config(sdk_key=key)
+
+
+def test_sdk_key_validation_empty_key():
+    """Test that empty SDK keys don't trigger format validation"""
+    config = Config(sdk_key="")
+    assert config.sdk_key == ""
+
+
 def application_can_be_set_and_read():
     application = {"id": "my-id", "version": "abcdef"}
     config = Config(sdk_key="SDK_KEY", application=application)
