You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secret Scanning V2 cloned GitHub, GitLab, and Bitbucket repositories by embedding provider credentials directly in HTTPS clone URLs. When git clone failed, Node's child-process error message could include the full command line, and the raw scan error could then be stored as scan status or sent in failure notifications.
This PR changes the V2 clone path to pass credential-free remote URLs to git, provide credentials through a temporary GIT_ASKPASS helper, strip inherited Git trace env vars from the child process, and redact sensitive auth data from scan error messages before they are stored or sent.
Screenshots
N/A
Type
Fix
Feature
Improvement
Breaking
Docs
Chore
Checklist
Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
This PR hardens the Secret Scanning V2 git clone path by moving provider credentials out of HTTPS clone URLs and into a temporary GIT_ASKPASS shell script, stripping inherited git trace environment variables from the child process, and applying redaction to error messages before they are stored or forwarded. The approach is well-tested and eliminates the primary credential-leak vectors identified in the description.
cloneRepository now validates that remoteUrl carries no embedded credentials, writes a per-scan git-askpass.sh into the unique temp directory, sets GIT_TERMINAL_PROMPT=0, and cleans up the helper after the clone completes.
parseScanErrorMessage (and the internal sanitizeErrorMessage) now redact user:password@host URL patterns and Authorization header values in addition to truncating at 1 024 characters.
All three provider factories (GitHub, GitLab, Bitbucket) are updated to pass a credential-free remoteUrl plus a typed auth struct.
Confidence Score: 4/5
The credential-isolation change is sound and well-tested; one logic flaw in the cleanup error path can cause a successful clone to surface as a failure, or hide the actual git error on failure.
The cleanupAskPass().then(..., reject) pattern passes the outer reject as the cleanup failure handler, so any rm failure replaces the clone outcome with a filesystem error — this affects all three provider paths and is worth fixing before merging.
secret-scanning-v2-fns.ts — specifically the execFile callback cleanup chain; all other changed files look correct.
Security Review
SSRF via user-controlled GitLab instance URL (gitlab-secret-scanning-factory.ts line 263): new URL(instanceUrl).host validates URL structure but does not restrict the resolved host to external addresses. An actor who can set or modify the connection's instanceUrl could direct the backend to clone from an internal endpoint (e.g., AWS metadata service, Kubernetes API). This is a pre-existing exposure surfaced on the changed code path.
Core change: replaces credential-embedded clone URLs with a GIT_ASKPASS helper and strips git trace env vars; cleanup Promise rejection handler can swallow the original git error.
New unit tests covering credential redaction, URL sanitization, GIT_TRACE env var stripping, and rejection with sanitized errors; coverage is thorough for the happy and error paths.
Credentials moved out of the clone URL to the new auth parameter; the user-supplied instanceUrl is only structurally parsed, not validated against private IP ranges (pre-existing SSRF exposure).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Context
Secret Scanning V2 cloned GitHub, GitLab, and Bitbucket repositories by embedding provider credentials directly in HTTPS clone URLs. When
git clonefailed, Node's child-process error message could include the full command line, and the raw scan error could then be stored as scan status or sent in failure notifications.This PR changes the V2 clone path to pass credential-free remote URLs to git, provide credentials through a temporary
GIT_ASKPASShelper, strip inherited Git trace env vars from the child process, and redact sensitive auth data from scan error messages before they are stored or sent.Screenshots
N/A
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).