From e171cbe07cd5c148261e94f9790ac57397d7fef3 Mon Sep 17 00:00:00 2001
From: "pensarapp[bot]" <182705637+pensarapp[bot]@users.noreply.github.com>
Date: Thu, 22 May 2025 08:50:16 +0000
Subject: [PATCH] Fix security issue: Sensitive API Key Exposure via Settings
 Endpoint (CWE-200)

---
 .../settings/routers/get_settings_router.py   | 40 ++++++++++++++++---
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/cognee/api/v1/settings/routers/get_settings_router.py b/cognee/api/v1/settings/routers/get_settings_router.py
index f4e33414e..9c0e63d35 100644
--- a/cognee/api/v1/settings/routers/get_settings_router.py
+++ b/cognee/api/v1/settings/routers/get_settings_router.py
@@ -7,12 +7,22 @@ from cognee.modules.users.models import User
 from cognee.modules.settings.get_settings import LLMConfig, VectorDBConfig
 
 
-class LLMConfigOutputDTO(OutDTO, LLMConfig):
-    pass
+class LLMConfigOutputDTO(OutDTO):
+    provider: Union[Literal["openai"], Literal["ollama"], Literal["anthropic"], Literal["gemini"]]
+    model: str
+    # api_key field intentionally omitted for security
 
 
-class VectorDBConfigOutputDTO(OutDTO, VectorDBConfig):
-    pass
+class VectorDBConfigOutputDTO(OutDTO):
+    provider: Union[
+        Literal["lancedb"],
+        Literal["chromadb"],
+        Literal["qdrant"],
+        Literal["weaviate"],
+        Literal["pgvector"],
+    ]
+    url: str
+    # api_key field intentionally omitted for security
 
 
 class SettingsDTO(OutDTO):
@@ -50,7 +60,25 @@ def get_settings_router() -> APIRouter:
     async def get_settings(user: User = Depends(get_authenticated_user)):
         from cognee.modules.settings import get_settings as get_cognee_settings
 
-        return get_cognee_settings()
+        settings = get_cognee_settings()
+
+        # Prepare response excluding sensitive api_key fields
+        llm = settings.llm
+        vector_db = settings.vector_db
+
+        llm_output = LLMConfigOutputDTO(
+            provider=llm.provider,
+            model=llm.model,
+        )
+        vector_db_output = VectorDBConfigOutputDTO(
+            provider=vector_db.provider,
+            url=vector_db.url,
+        )
+
+        return SettingsDTO(
+            llm=llm_output,
+            vector_db=vector_db_output,
+        )
 
     @router.post("/", response_model=None)
     async def save_settings(
@@ -64,4 +92,4 @@ def get_settings_router() -> APIRouter:
         if new_settings.vector_db is not None:
             await save_vector_db_config(new_settings.vector_db)
 
-    return router
+    return router
\ No newline at end of file