OctoPrint's File Check tells me there's a leaked API key in my files

If you got a notification like this upon uploading or selecting a file:


or the same message when clicking on a "File Check detected issues with this file!" warning in your file list or state panel, it means that OctoPrint's bundled File Check plugin found some credentials in your file leaked by your slicer.

This is caused by a security issue in your slicer, with the following slicers and versions affected:

  • PrusaSlicer earlier than version 2.2.0, version 2.2.0 released on 2020-03-21 and newer are fixed
  • BambuStudio up to and including version 1.8.4, version 1.9.0 (pre)released on 2024-03-25 and newer are fixed
  • OrcaSlicer up to and including version 1.9.0, version 1.9.1 released on 2024-02-17 and newer are fixed

These slicers contained code that upon writing of the resulting GCODE file will not only include the used slicing settings, but also the credentials of your print host if the slicer integration is used. That will leak your OctoPrint API key and host endpoint if you have configured your slicer for automatic uploads and such.

If the File Check plugin detects this issue in any of your files, you should:

  1. Immediately reset the leaked API key for your OctoPrint installation (see below on how to do this)
  2. Update your slicer to the latest unaffected version (see the version information above)
  3. Reconfigure your slicer to use a new API key

How to reset a leaked API key in OctoPrint

Reset an Application Key

Got to User Settings > Application Keys. Delete the leaked key by clicking on the trashcan icon.

Then either manually generate a new one and update it on your third party clients, or let your third party client reauthenticate.

Reset the global API key

Go to Settings > API, reveal the API key if needed and then click on the little refresh symbol.

More information on how this security issue in BambuStudio and OrcaSlicer was discovered

The issue in BambuStudio and OrcaSlicer was discovered by @foosel on February 7th 2024, followed through the forks from OrcaSlicer to BambuStudio to PrusaSlicer (which had it already fixed), and then promptly responsibly disclosed to the respective maintainers.

Full timeline below:

  • 2024-02-07: The issue is discovered and - after a surprising amount of time spent on actually finding a security contact for BambuStudio - responsibly disclosed to both OrcaSlicer and BambuStudio via private email, including source code locations, suggested patch, and requesting a fix within 90 days if possible as this issue could put OctoPrint users at risk.
  • 2024-02-08: Both OrcaSlicer and BambuStudio have responded and acknowledged the issue.
  • 2024-02-10: OrcaSlicer has prepared a patch and pushed it to their repo, this is communicated via email as well.
  • 2024-02-17: A new stable version of OrcaSlicer, 1.9.1, is pushed with the fix, this is communicated via email as well.
  • 2024-03-11: Mail to BambuStudio to ask if there has been any progress. There has been no communication since 2024-02-08.
  • 2024-03-12: Reply from BambuStudio, confirming a fix has been created and will be released within 2-3 weeks after some more testing.
  • 2024-03-25: A prerelease of BambuStudio, 1.9.0, is pushed out with the fix. This is discovered by sheer coincidence.
  • 2024-03-27: A prerelease of version 2024.3.27 of the bundled OctoPrint-FileCheck plugin is pushed out. It contains code to detect files containing leaked API keys and a new batch scan mode to check all already uploaded files.
1 Like

On my OctoPi 0.18.0, OctoPrint 1.10.0rc3 system I checked Prerelease for OctoPrint-FileCheck plugin and it updated.

On my OctoPrint 1.10.0rc3 Python 3.9.2 OctoPi* 1.0.0cam (build 2023.07.20.144556) system, I check Prerelease and it just switches back to Stable.

@b-morgan please open a ticket for that on the plugin repo, the FAQ entry on the leaked API key issue is the wrong place and I only saw this by coincidence :sweat_smile: