GitHub Token is not properly sanitized from the debug logs
favna opened this issue · comments
Describe the issue
This was brought to my attention thanks to #514 <_< thankfully GitHub automatically revokes leaked tokens.
When running git cliff -c github --github-repo orhun/git-cliff --verbose --debug
the token is logged twice, once at the end for the RemoteConfig but also near the start for the Opt object. The second one does get sanitized but the fist one does not.
To reproduce
Steps to reproduce the behavior:
- Set GITHUB_TOKEN env var
- Run with
-c github --github-repo orhun/git-cliff --verbose --debug
arguments - See the token in the logs
Expected behavior
The token is sanitized in both places so it's safe to be copy-pasted and send for issue reports.
Screenshots / Logs
git cliff -c github --github-repo favware/cliff-jumper --verbose --debug
INFO git_cliff > Using built-in configuration file: github
TRACE git_cliff > Opt {
help: None,
version: None,
verbose: 2,
init: None,
config: "github",
workdir: None,
repository: None,
include_path: None,
exclude_path: None,
with_commit: None,
skip_commit: None,
prepend: None,
output: None,
tag: None,
bump: false,
bumped_version: false,
body: None,
latest: false,
current: false,
unreleased: false,
topo_order: false,
no_exec: false,
context: false,
strip: None,
sort: Newest,
range: None,
github_token: Some(
"LE TOKEN", <--- THIS IS NORMALLY AN UNSANITIZED GITHUB TOKEN, MANUALLY REDACTED FOR THIS ISSUE REPORT
),
github_repo: Some(
RemoteValue(
Remote {
owner: "favware",
repo: "cliff-jumper",
token: None,
},
),
),
}
TRACE git_cliff > Config {
changelog: ChangelogConfig {
header: None,
body: Some(
"## What's Changed\n\n{%- if version %} in {{ version }}{%- endif -%}\n{% for commit in commits %}\n {% if commit.github.pr_title -%}\n {%- set commit_message = commit.github.pr_title -%}\n {%- else -%}\n {%- set commit_message = commit.message -%}\n {%- endif -%}\n * {{ commit_message | split(pat=\"\n\") | first | trim }}{% if commit.github.username %} by @{{ commit.github.username }}{%- endif -%}\n {% if commit.github.pr_number %} in [#{{ commit.github.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.github.pr_number }}) {%- endif %}\n{%- endfor -%}\n\n{% if github.contributors | filter(attribute=\"is_first_time\", value=true) | length != 0 %}\n {% raw %}\n{% endraw -%}\n ## New Contributors\n{%- endif %}{% for contributor in github.contributors | filter(attribute=\"is_first_time\", value=true) %}\n * @{{ contributor.username }} made their first contribution\n {%- if contributor.pr_number %} in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) {%- endif %}\n{%- endfor -%}\n\n{% if version %}\n {% if previous.version %}\n **Full Changelog**: {{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}\n {% endif %}\n{% else -%}\n {% raw %}\n{% endraw %}\n{% endif %}\n\n{%- macro remote_url() -%}\n https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }}\n{%- endmacro -%}\n",
),
footer: Some(
"<!-- generated by git-cliff -->\n",
),
trim: Some(
true,
),
postprocessors: Some(
[],
),
},
git: GitConfig {
conventional_commits: Some(
false,
),
filter_unconventional: Some(
true,
),
split_commits: Some(
false,
),
commit_preprocessors: Some(
[
TextProcessor {
pattern: Regex(
"\\((\\w+\\s)?#([0-9]+)\\)",
),
replace: Some(
"",
),
replace_command: None,
},
],
),
commit_parsers: None,
protect_breaking_commits: Some(
false,
),
link_parsers: None,
filter_commits: Some(
false,
),
tag_pattern: Some(
Regex(
"v[0-9].*",
),
),
skip_tags: Some(
Regex(
"beta|alpha",
),
),
ignore_tags: Some(
Regex(
"rc",
),
),
topo_order: Some(
false,
),
sort_commits: Some(
"newest",
),
limit_commits: None,
},
remote: RemoteConfig {
github: Remote {
owner: "favware",
repo: "cliff-jumper",
token: Some(
Secret([REDACTED alloc::string::String]),
),
},
},
}
Software information
- Operating system: Windows 11 10.0.22631
- Rust version: rustc 1.76.0 (07dca489a 2024-02-04)
- Project version: 2.0.4
Additional context
Thanks a lot for the report! I fixed this in be34949 - will cut a release soon.