Skip to content

Stop credential tokens leaking into usage output#77

Merged
Soph merged 2 commits into
mainfrom
fix/credential-token-usage-leak
Jun 17, 2026
Merged

Stop credential tokens leaking into usage output#77
Soph merged 2 commits into
mainfrom
fix/credential-token-usage-leak

Conversation

@Soph

@Soph Soph commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Problem

Token flags registered their environment value as the pflag default:

cmd.Flags().StringVar(&auth.Token, "source-token", envOr("GITSYNC_SOURCE_TOKEN", ""), "...")

pflag prints non-empty defaults in --help, so GITSYNC_SOURCE_TOKEN=secret git-sync sync --help printed (default "secret"). Worse, the unknown-flag fallback in main.go dumps the full usage block to stderr — so a typo'd flag in a CI job with GITSYNC_*_TOKEN set wrote the credential straight into CI logs.

Verified empirically against the built binary before and after.

Fix

  • Register secret flags (source/target --*-token and --*-bearer-token, including the inlined ones in convert-sha256) with empty defaults and apply the env value after parsing via a PreRunE hook, only when the flag was not given explicitly. An explicit flag still wins over the environment.
  • Add chainPreRunE so independent flag helpers can each attach post-parse logic without clobbering one another; route the existing allRefsFlag through it too.
  • Pair registration + env fallback in a single addSecretFlag call so a future secret flag can't re-introduce the leak by reaching for an envOr default.

Non-secret flags (--*-username, --*-insecure-skip-tls-verify) keep using env-as-default since their values are safe to print.

Tests

flags_test.go asserts both invariants: the secret never appears in usage output, and the env fallback still populates auth (with an explicit flag overriding the environment).

🤖 Generated with Claude Code


Note

Low Risk
CLI-only credential handling change with tests; behavior for explicit flags and env fallback is preserved, with reduced exposure in logs.

Overview
Prevents GITSYNC_* tokens and bearer values from appearing in --help and error usage dumps by no longer using envOr as the pflag default for secret flags.

Source/target --*-token and --*-bearer-token (including convert-sha256) now register with empty defaults via addSecretFlag, which applies the env value in a chained PreRunE only when the flag was not set on the command line. Explicit flags still override the environment. Non-secret auth flags keep env-as-default behavior.

chainPreRunE composes multiple post-parse hooks so allRefsFlag and secret env fallbacks do not overwrite each other’s PreRunE. New tests in flags_test.go assert secrets never show up in usage text and that env fallback plus flag precedence still work.

Reviewed by Cursor Bugbot for commit 7c04242. Configure here.

Soph and others added 2 commits June 17, 2026 09:00
Token flags registered their env value as the pflag *default*
(e.g. StringVar(&auth.Token, "source-token", envOr("GITSYNC_SOURCE_TOKEN", ""))).
pflag prints non-empty defaults in --help, and the unknown-flag fallback in
main.go dumps the full usage block to stderr — so a typo'd flag in a CI job
with GITSYNC_*_TOKEN set wrote the credential into CI logs.

Register secret flags (source/target token + bearer-token, including the
inlined ones in convert-sha256) with empty defaults and apply the env value
after parsing via a PreRunE hook, only when the flag was not given explicitly.
An explicit flag still wins over the environment.

Add chainPreRunE so independent flag helpers can each attach post-parse logic
without clobbering one another, and route allRefsFlag through it too.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 409a151aeced
Fold the empty-default StringVar and addSecretEnvFallback into a single
addSecretFlag(cmd, dst, name, env, usage) call. Previously each secret flag
needed two coordinated statements; a new secret flag could re-introduce the
usage leak by registering an envOr default and forgetting the fallback.
Pairing them makes the safe handling the only handling.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 495d629c11b1
@Soph Soph merged commit f4069f1 into main Jun 17, 2026
4 checks passed
@Soph Soph deleted the fix/credential-token-usage-leak branch June 17, 2026 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants