Skip to content

Security: GitHub token embedded in clone URL may leak credentials#340

Open
tuanaiseo wants to merge 1 commit intozilliztech:masterfrom
tuanaiseo:contribai/fix/security/github-token-embedded-in-clone-url-may-l
Open

Security: GitHub token embedded in clone URL may leak credentials#340
tuanaiseo wants to merge 1 commit intozilliztech:masterfrom
tuanaiseo:contribai/fix/security/github-token-embedded-in-clone-url-may-l

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 25, 2026

Problem

The repository cloning logic constructs an HTTPS URL containing the raw GitHub token (https://<token>@github.com/...). Tokens embedded in URLs can leak through process listings, crash logs, shell history, proxy logs, or be persisted in .git/config as the remote origin URL.

Severity: high
File: evaluation/utils/file_management.py

Solution

Avoid embedding credentials in URLs. Use Git credential helpers, GIT_ASKPASS, or authenticated headers/SSH deploy keys. If HTTPS tokens must be used, ensure they are not persisted in remotes and scrub/redact them from all logs.

Changes

  • evaluation/utils/file_management.py (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): github token embedded in clone url may leak creden
d60aa06 
The repository cloning logic constructs an HTTPS URL containing the raw GitHub token (`https://<token>@github.com/...`). Tokens embedded in URLs can leak through process listings, crash logs, shell history, proxy logs, or be persisted in `.git/config` as the remote origin URL.

Affected files: file_management.py

Signed-off-by: tuanaiseo <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo