Skip to content

fix: use x-goog-api-key header instead of URL query param for Gemini API#12190

Open
continue[bot] wants to merge 4 commits intomainfrom
continue-1776787237261
Open

fix: use x-goog-api-key header instead of URL query param for Gemini API#12190
continue[bot] wants to merge 4 commits intomainfrom
continue-1776787237261

Conversation

@continue
Copy link
Copy Markdown
Contributor

@continue continue Bot commented Apr 21, 2026

Summary

This PR fixes a security issue where the Gemini API key was being passed as a URL query parameter when fetching available models, and also fixes a CI failure caused by a deprecated Anthropic model.

Changes

1. Security Fix: Gemini API Key Exposure (Medium Severity)

File: core/llm/fetchModels.ts:181-182

Before (Insecure)

const url = new URL("models", base);
url.searchParams.set("key", apiKey ?? "");
const response = await fetch(url);

After (Secure)

const url = new URL("models", base);
const response = await fetch(url, {
  headers: {
    "x-goog-api-key": apiKey ?? "",
  },
});

Why This Matters

API keys in URL query strings can be exposed through:

  • Server access logs
  • Browser history
  • HTTP Referer headers
  • Proxy logs
  • Error reporting services

The x-goog-api-key header is the secure method used elsewhere in this codebase (see packages/openai-adapters/src/apis/Gemini.ts) and is the recommended authentication method for Google APIs.

2. CI Fix: Update Deprecated Anthropic Model

File: extensions/cli/src/smoke-api/smoke-api-helpers.ts

Updated the default smoke test model from claude-3-haiku-20240307 (deprecated, returns not_found_error) to claude-3-5-haiku-latest.


Generated with Continue

Co-authored-by: bekah-hawrot-weigel bekah@continue.dev

Move API key from URL query string to x-goog-api-key header when fetching
Gemini models. This prevents credentials from being exposed in server logs,
browser history, or referrer headers.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
Co-authored-by: bekah-hawrot-weigel <bekah@continue.dev>
@continue continue Bot requested a review from a team as a code owner April 21, 2026 16:07
@continue continue Bot requested review from sestinj and removed request for a team April 21, 2026 16:07
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Apr 21, 2026
@continue
Copy link
Copy Markdown
Contributor Author

continue Bot commented Apr 21, 2026

Docs Review

No documentation updates needed for this PR.

Reason: This is an internal security fix that changes how the Gemini API key is transmitted (from URL query parameter to x-goog-api-key header). This implementation detail is not exposed to users—they still configure their API key the same way, and there are no changes to user-facing configuration, behavior, or setup steps.

Good security improvement! 🔐

Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

The claude-3-haiku-20240307 model has been deprecated by Anthropic and
now returns not_found_error. Updated to claude-3-5-haiku-latest which
is the current replacement.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
Co-authored-by: bekah-hawrot-weigel <bekah@continue.dev>
@dosubot dosubot Bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Apr 21, 2026
The model naming convention has changed - claude-3-5-haiku-latest is not
a valid model name. Updated to use claude-haiku-4-5-20251001 which is the
correct current Anthropic haiku model.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
Co-authored-by: bekah-hawrot-weigel <bekah@continue.dev>
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="extensions/cli/src/smoke-api/smoke-api-helpers.ts">

<violation number="1" location="extensions/cli/src/smoke-api/smoke-api-helpers.ts:51">
P3: The fallback-model comment no longer matches the actual default value, which can mislead future maintenance and debugging.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.

Comment thread extensions/cli/src/smoke-api/smoke-api-helpers.ts Outdated
Updated the comment to match the exact model name
claude-haiku-4-5-20251001 to prevent confusion during maintenance.

Generated with [Continue](https://continue.dev)

Co-Authored-By: Continue <noreply@continue.dev>
Co-authored-by: bekah-hawrot-weigel <bekah@continue.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

continue-agent size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

0 participants