🔒 Fix Personal Access Token exposure in runner-self-test.sh#1191
Conversation
Modified `scripts/runner-self-test.sh` to pass the GitHub Personal Access Token (`GH_PAT`) to `curl` via stdin using the `-K-` option. This prevents the token from appearing in process listings or command history, addressing a security vulnerability. Changes: - Replaced direct `-H "Authorization: token $GH_PAT"` with a piped configuration using `printf` and `curl -K-`. - Added a security verification test in `tests/security/verify-curl-fix.sh`. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves a critical security vulnerability by preventing the exposure of GitHub Personal Access Tokens (GH_PAT) in system process listings and command history. By refactoring how the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses a critical security vulnerability by preventing the GH_PAT from being exposed in the process list and command history. The method of piping the Authorization header to curl using the -K- option is an effective and appropriate fix. The addition of a verification script is also a great step. I have one suggestion for the new test script to make it more robust by eliminating a potential race condition, which will ensure the test reliably verifies the fix.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
GrammaTonic
deleted the
security/fix-token-exposure-runner-self-test-7830841904974959260
branch
* chore(deps): chore(deps)(deps): bump actions/cache from 4 to 5 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump trufflesecurity/trufflehog from 3.93.7 to 3.93.8 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump docker/metadata-action from 5 to 6 Automatically merged Dependabot PR after CI validation. * 🔒 Fix Personal Access Token exposure in runner-self-test.sh (#1191) * 🔒 fix: prevent Personal Access Token exposure in CLI history Modified `scripts/runner-self-test.sh` to pass the GitHub Personal Access Token (`GH_PAT`) to `curl` via stdin using the `-K-` option. This prevents the token from appearing in process listings or command history, addressing a security vulnerability. Changes: - Replaced direct `-H "Authorization: token $GH_PAT"` with a piped configuration using `printf` and `curl -K-`. - Added a security verification test in `tests/security/verify-curl-fix.sh`. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/security/verify-curl-fix.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 Fix Command Injection in Deploy Script via Unescaped Hostname (#1193) * 🔒 Fix command injection vulnerability in deploy script Added container name validation and improved docker command security by using the -- delimiter to prevent option injection. - Added `validate_container_name` function to enforce Docker naming conventions. - Updated `health_check` and `show_status` functions in `scripts/deploy.sh` to validate container names before use and use `--` in Docker commands. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 fix(security): sanitize job name in file paths to prevent traversal (#1192) * fix(security): sanitize job name in file paths Mitigate path traversal vulnerability by sanitizing GITHUB_JOB before using it in file paths in job-started.sh and job-completed.sh. Introduced a sanitize_name function in utils.sh to replace unsafe characters with underscores. Updated unit tests accordingly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/unit/test-job-started.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update docker/utils.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: enforce Node.js 24 for all runners and workflows (#1190) * feat: enforce Node.js 24 for all runners via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var - Adds FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to all runner Docker Compose files - Documents the variable in all example .env files - Ensures all JavaScript actions use Node.js 24 across standard, Chrome, and Chrome-Go runners See #performance, #devops, #nodejs, #ci-cd * chore: enforce Node.js 24 for all actions in ci-cd workflow via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var --------- Co-authored-by: rr <rr> --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* chore(deps): chore(deps)(deps): bump actions/cache from 4 to 5 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump trufflesecurity/trufflehog from 3.93.7 to 3.93.8 Automatically merged Dependabot PR after CI validation. * chore(deps): chore(deps)(deps): bump docker/metadata-action from 5 to 6 Automatically merged Dependabot PR after CI validation. * 🔒 Fix Personal Access Token exposure in runner-self-test.sh (#1191) * 🔒 fix: prevent Personal Access Token exposure in CLI history Modified `scripts/runner-self-test.sh` to pass the GitHub Personal Access Token (`GH_PAT`) to `curl` via stdin using the `-K-` option. This prevents the token from appearing in process listings or command history, addressing a security vulnerability. Changes: - Replaced direct `-H "Authorization: token $GH_PAT"` with a piped configuration using `printf` and `curl -K-`. - Added a security verification test in `tests/security/verify-curl-fix.sh`. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/security/verify-curl-fix.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 Fix Command Injection in Deploy Script via Unescaped Hostname (#1193) * 🔒 Fix command injection vulnerability in deploy script Added container name validation and improved docker command security by using the -- delimiter to prevent option injection. - Added `validate_container_name` function to enforce Docker naming conventions. - Updated `health_check` and `show_status` functions in `scripts/deploy.sh` to validate container names before use and use `--` in Docker commands. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update scripts/deploy.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * 🔒 fix(security): sanitize job name in file paths to prevent traversal (#1192) * fix(security): sanitize job name in file paths Mitigate path traversal vulnerability by sanitizing GITHUB_JOB before using it in file paths in job-started.sh and job-completed.sh. Introduced a sanitize_name function in utils.sh to replace unsafe characters with underscores. Updated unit tests accordingly. Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> * Update tests/unit/test-job-started.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update docker/utils.sh Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: enforce Node.js 24 for all runners and workflows (#1190) * feat: enforce Node.js 24 for all runners via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var - Adds FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true to all runner Docker Compose files - Documents the variable in all example .env files - Ensures all JavaScript actions use Node.js 24 across standard, Chrome, and Chrome-Go runners See #performance, #devops, #nodejs, #ci-cd * chore: enforce Node.js 24 for all actions in ci-cd workflow via FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env var --------- Co-authored-by: rr <rr> * chore: update Go version to 1.25.7 across Chrome-Go runner configs, Dockerfiles, compose, and docs --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: GrammaTonic <8269379+GrammaTonic@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: rr <rr>
1 participant
🎯 What: The vulnerability fixed
Exposure of Personal Access Token (
GH_PAT) in CLI history and process listings.An attacker with access to the system could view the token by listing running processes (e.g.,
ps aux) or by inspecting command history if the script was executed manually. This token could then be used to gain unauthorized access to the GitHub repository.🛡️ Solution: How the fix addresses the vulnerability
The fix uses
curl's--config -(or-K-) option to read headers from standard input. By usingprintf(a shell builtin) to pipe the Authorization header directly intocurl, the secret token never appears as an argument to thecurlprocess, thus keeping it out of process listings and command history.A new test script
tests/security/verify-curl-fix.shhas been added to verify that the token is correctly transmitted in headers while remaining hidden from the process list.PR created automatically by Jules for task 7830841904974959260 started by @GrammaTonic