Stop credential tokens leaking into usage output#77
Merged
Conversation
Token flags registered their env value as the pflag *default*
(e.g. StringVar(&auth.Token, "source-token", envOr("GITSYNC_SOURCE_TOKEN", ""))).
pflag prints non-empty defaults in --help, and the unknown-flag fallback in
main.go dumps the full usage block to stderr — so a typo'd flag in a CI job
with GITSYNC_*_TOKEN set wrote the credential into CI logs.
Register secret flags (source/target token + bearer-token, including the
inlined ones in convert-sha256) with empty defaults and apply the env value
after parsing via a PreRunE hook, only when the flag was not given explicitly.
An explicit flag still wins over the environment.
Add chainPreRunE so independent flag helpers can each attach post-parse logic
without clobbering one another, and route allRefsFlag through it too.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 409a151aeced
Fold the empty-default StringVar and addSecretEnvFallback into a single addSecretFlag(cmd, dst, name, env, usage) call. Previously each secret flag needed two coordinated statements; a new secret flag could re-introduce the usage leak by registering an envOr default and forgetting the fallback. Pairing them makes the safe handling the only handling. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Entire-Checkpoint: 495d629c11b1
pjbgf
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Token flags registered their environment value as the pflag default:
pflag prints non-empty defaults in
--help, soGITSYNC_SOURCE_TOKEN=secret git-sync sync --helpprinted(default "secret"). Worse, the unknown-flag fallback inmain.godumps the full usage block to stderr — so a typo'd flag in a CI job withGITSYNC_*_TOKENset wrote the credential straight into CI logs.Verified empirically against the built binary before and after.
Fix
--*-tokenand--*-bearer-token, including the inlined ones inconvert-sha256) with empty defaults and apply the env value after parsing via aPreRunEhook, only when the flag was not given explicitly. An explicit flag still wins over the environment.chainPreRunEso independent flag helpers can each attach post-parse logic without clobbering one another; route the existingallRefsFlagthrough it too.addSecretFlagcall so a future secret flag can't re-introduce the leak by reaching for anenvOrdefault.Non-secret flags (
--*-username,--*-insecure-skip-tls-verify) keep using env-as-default since their values are safe to print.Tests
flags_test.goasserts both invariants: the secret never appears in usage output, and the env fallback still populates auth (with an explicit flag overriding the environment).🤖 Generated with Claude Code
Note
Low Risk
CLI-only credential handling change with tests; behavior for explicit flags and env fallback is preserved, with reduced exposure in logs.
Overview
Prevents
GITSYNC_*tokens and bearer values from appearing in--helpand error usage dumps by no longer usingenvOras the pflag default for secret flags.Source/target
--*-tokenand--*-bearer-token(includingconvert-sha256) now register with empty defaults viaaddSecretFlag, which applies the env value in a chainedPreRunEonly when the flag was not set on the command line. Explicit flags still override the environment. Non-secret auth flags keep env-as-default behavior.chainPreRunEcomposes multiple post-parse hooks soallRefsFlagand secret env fallbacks do not overwrite each other’sPreRunE. New tests inflags_test.goassert secrets never show up in usage text and that env fallback plus flag precedence still work.Reviewed by Cursor Bugbot for commit 7c04242. Configure here.