From d60aa06a43a45dc906ff6a61c71bf3874e7943a6 Mon Sep 17 00:00:00 2001 From: tuanaiseo Date: Sun, 26 Apr 2026 06:07:44 +0700 Subject: [PATCH] fix(security): github token embedded in clone url may leak creden The repository cloning logic constructs an HTTPS URL containing the raw GitHub token (`https://@github.com/...`). Tokens embedded in URLs can leak through process listings, crash logs, shell history, proxy logs, or be persisted in `.git/config` as the remote origin URL. Affected files: file_management.py Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com> --- evaluation/utils/file_management.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/evaluation/utils/file_management.py b/evaluation/utils/file_management.py index 9e2f6175..2558e15d 100644 --- a/evaluation/utils/file_management.py +++ b/evaluation/utils/file_management.py @@ -123,7 +123,12 @@ def clone_repo(repo, root_dir, token): repo_dir = Path(root_dir, f"repo__{repo.replace('/', '__')}") if not repo_dir.exists(): - repo_url = f"https://{token}@github.com/{repo}.git" + repo_url = f"https://github.com/{repo}.git" + clone_kwargs = {} + if token: + clone_kwargs["multi_options"] = [ + f"-c http.extraheader=AUTHORIZATION: bearer {token}" + ] logger.info(f"Cloning {repo} {os.getpid()}") - Repo.clone_from(repo_url, repo_dir) + Repo.clone_from(repo_url, repo_dir, **clone_kwargs) return repo_dir