Avoid passing GitHub token in git clone URL (argv leak via ps)#100
Open
shotaro421 wants to merge 1 commit intoanthropics:mainfrom
Open
Avoid passing GitHub token in git clone URL (argv leak via ps)#100shotaro421 wants to merge 1 commit intoanthropics:mainfrom
shotaro421 wants to merge 1 commit intoanthropics:mainfrom
Conversation
_setup_repository builds clone_url as https://{token}@github.com/... and
passes it positionally to subprocess.run(['git', 'clone', ..., clone_url]).
argv is readable by every other local user through `ps -ef` for the
duration of the clone, git persists the URL in the cloned repo's
.git/config, and any error path that echoes the failed command will
emit the token to stderr.
Switch to the standard GIT_ASKPASS mechanism: the token is supplied to
git via an environment variable read by a small mode-0700 temp shell
helper, so it never appears in argv or .git/config. The clone URL uses
`x-access-token` as a placeholder username, and the helper file is
unlinked in a `finally` block.
Adds a regression test that walks every recorded subprocess.run call and
asserts the token never appears in any argv element, and verifies that
GIT_ASKPASS / GIT_AUTH_TOKEN are set on the clone env. Existing test
suite remains green (174 passed including the new test).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_setup_repositoryinclaudecode/evals/eval_engine.pybuilds thegit clone URL as
https://{token}@github.com/...and passes it as apositional argument to
subprocess.run(['git', 'clone', ..., clone_url, ...]). argv isvisible to every other local user via
ps -effor the duration ofthe clone, git additionally persists the URL in the cloned repo's
.git/config, and any error path that echoes the failed command canemit the token to stderr.
GIT_ASKPASSmechanism: thetoken is supplied to git via an environment variable read by a small
temp shell helper, so it never appears in argv or
.git/config. Theclone URL uses
x-access-tokenas a placeholder username, and thehelper file is created with mode 0o700 and removed in a
finallyblock.
Test plan
test_setup_repository_clone_does_not_leak_token_in_argvwalksevery recorded
subprocess.runcall and asserts the token neverappears in any argv element, and verifies
GIT_ASKPASS/GIT_AUTH_TOKENare set on the clone env.How this was found
The issue surfaced during a self-audit of a downstream fork that wraps
this repository. Happy to share the original finding payload if useful.