Summary
When --debug is enabled and GITHUB_TOKEN is set in the environment, spc's downloader logs the full curl invocation — including the -HAuthorization: Bearer <token> header — to both the terminal and the persisted log file at log/spc.output.log. The token ends up in plaintext anywhere that output is captured (CI logs, screen recordings, support pastebins, transcripts, etc.).
Reproduction
GITHUB_TOKEN=ghp_REDACTED ./spc download zlib --debug
Output (abbreviated):
[D] [PASSTHRU] curl.exe -sfSL "-HAuthorization: Bearer ghp_REDACTED" "https://api.github.com/repos/madler/zlib/releases"
The same line appears in log/spc.output.log.
Root cause
src/globals/functions.php:164 calls logger()->debug('[PASSTHRU] ' . \$cmd) with the raw command string. The bearer header is constructed at src/SPC/store/CurlHook.php:32 and added unredacted to the curl args before they reach f_passthru().
Suggested fix
Redact known sensitive args before logging. Either:
- Sanitize in
f_passthru() — regex-replace -HAuthorization: Bearer \S+ and -HAuthorization: Basic \S+ with …: <redacted> before the debug-log call. Cheapest, covers all callers.
- Sanitize at the source in
CurlHook — pass the curl command through a wrapper that knows which args are sensitive.
Option 1 is a 3-line change and catches future leaks of the same shape.
Impact
Any user who has run --debug with GITHUB_TOKEN set should rotate the token. CI configurations that capture spc output (artifacts, log uploads) are particularly exposed.
Summary
When
--debugis enabled andGITHUB_TOKENis set in the environment, spc's downloader logs the fullcurlinvocation — including the-HAuthorization: Bearer <token>header — to both the terminal and the persisted log file atlog/spc.output.log. The token ends up in plaintext anywhere that output is captured (CI logs, screen recordings, support pastebins, transcripts, etc.).Reproduction
Output (abbreviated):
The same line appears in
log/spc.output.log.Root cause
src/globals/functions.php:164callslogger()->debug('[PASSTHRU] ' . \$cmd)with the raw command string. The bearer header is constructed atsrc/SPC/store/CurlHook.php:32and added unredacted to the curl args before they reachf_passthru().Suggested fix
Redact known sensitive args before logging. Either:
f_passthru()— regex-replace-HAuthorization: Bearer \S+and-HAuthorization: Basic \S+with…: <redacted>before the debug-log call. Cheapest, covers all callers.CurlHook— pass the curl command through a wrapper that knows which args are sensitive.Option 1 is a 3-line change and catches future leaks of the same shape.
Impact
Any user who has run
--debugwithGITHUB_TOKENset should rotate the token. CI configurations that capture spc output (artifacts, log uploads) are particularly exposed.