OctoPrint's File Check tells me there's a leaked API key in my files

If you got a notification like this upon uploading or selecting a file:

image

or the same message when clicking on a "File Check detected issues with this file!" warning in your file list or state panel, it means that OctoPrint's bundled File Check plugin found some credentials in your file leaked by your slicer.

This is caused by a security issue in your slicer, with the following slicers and versions affected:

  • PrusaSlicer earlier than version 2.2.0, version 2.2.0 released on 2020-03-21 and newer are fixed
  • BambuStudio up to and including version 1.8.4, version 1.9.0 (pre)released on 2024-03-25 and newer are fixed
  • OrcaSlicer up to and including version 1.9.0, version 1.9.1 released on 2024-02-17 and newer are fixed

These slicers contained code that upon writing of the resulting GCODE file will not only include the used slicing settings, but also the credentials of your print host if the slicer integration is used. That will leak your OctoPrint API key and host endpoint if you have configured your slicer for automatic uploads and such.

If the File Check plugin detects this issue in any of your files, you should:

  1. Immediately reset the leaked API key for your OctoPrint installation (see below on how to do this)
  2. Update your slicer to the latest unaffected version (see the version information above)
  3. Reconfigure your slicer to use a new API key

How to reset a leaked API key in OctoPrint

Reset an Application Key

Got to User Settings > Application Keys. Delete the leaked key by clicking on the trashcan icon.

Then either manually generate a new one and update it on your third party clients, or let your third party client reauthenticate.

Reset the global API key

Go to Settings > API, reveal the API key if needed and then click on the little refresh symbol.

More information on how this security issue in BambuStudio and OrcaSlicer was discovered

The issue in BambuStudio and OrcaSlicer was discovered by @foosel on February 7th 2024, followed through the forks from OrcaSlicer to BambuStudio to PrusaSlicer (which had it already fixed), and then promptly responsibly disclosed to the respective maintainers.

Full timeline below:

  • 2024-02-07: The issue is discovered and - after a surprising amount of time spent on actually finding a security contact for BambuStudio - responsibly disclosed to both OrcaSlicer and BambuStudio via private email, including source code locations, suggested patch, and requesting a fix within 90 days if possible as this issue could put OctoPrint users at risk.
  • 2024-02-08: Both OrcaSlicer and BambuStudio have responded and acknowledged the issue.
  • 2024-02-10: OrcaSlicer has prepared a patch and pushed it to their repo, this is communicated via email as well.
  • 2024-02-17: A new stable version of OrcaSlicer, 1.9.1, is pushed with the fix, this is communicated via email as well.
  • 2024-03-11: Mail to BambuStudio to ask if there has been any progress. There has been no communication since 2024-02-08.
  • 2024-03-12: Reply from BambuStudio, confirming a fix has been created and will be released within 2-3 weeks after some more testing.
  • 2024-03-25: A prerelease of BambuStudio, 1.9.0, is pushed out with the fix. This is discovered by sheer coincidence.
  • 2024-03-27: A prerelease of version 2024.3.27 of the bundled OctoPrint-FileCheck plugin is pushed out. It contains code to detect files containing leaked API keys and a new batch scan mode to check all already uploaded files.
1 Like

On my OctoPi 0.18.0, OctoPrint 1.10.0rc3 system I checked Prerelease for OctoPrint-FileCheck plugin and it updated.

On my OctoPrint 1.10.0rc3 Python 3.9.2 OctoPi* 1.0.0cam (build 2023.07.20.144556) system, I check Prerelease and it just switches back to Stable.

@b-morgan please open a ticket for that on the plugin repo, the FAQ entry on the leaked API key issue is the wrong place and I only saw this by coincidence :sweat_smile:

I have OctoPrint v1.10.0 which suposedly has this issue fixed but I'm still getting this error:

#### File Check detected issues with Printxxx.gcode!

Your file contains an API key that is not supposed to be there. This is caused by a bug in your slicer, and known to happen with PrusaSlicer (<= 2.1.1), BambuStudio (<= 1.8.4) and OrcaSlicer (<= 1.9.0).

If v1.10.0 is fixed how am I still getting the error?

Could this plugin be the issue? File Check Plugin : 2024.3.27

Where have you got this information from?

The issue is with the slicers mentioned in the message. It is not an issue with OctoPrint, but it is an issue with these slicers putting your API key in the gcode file. OctoPrint 1.10.0 does not fix anything related to this.

2 Likes

Correction: I have OrcaSlicer v1.10.0 not Octoprint hence the question. Is OrcaSlicer v1.10 not fixed then?

"This is caused by a bug in your slicer, and known to happen with .... OrcaSlicer (<= 1.9.0)."

There is no OrcaSlicer 1.10.0 that I see. It jumps from 1.9.1 to 2.0.0 based on the releases on GitHub.

You are correct, I assumed I had the latest OrcaSlicer as I had updated everything but on checking now I see it is only v1.7, apologies, will update now. :smiling_face: