Description
In app/api/architecture/route.ts at lines 279-281, a GitHub Personal Access Token (PAT) is embedded directly into a git clone URL:
const repoUrl = `https://username:${process.env.GITHUB_TOKEN}@github.com/${fullName}.git`;This presents two distinct exposure vectors:
1. Process table exposure: The git clone command is executed as a subprocess. On Linux/Unix systems, the full command line (including the URL with the embedded token) is visible via ps aux to any user on the system. In containerized environments, this can be visible from the host.
2. Error log exposure: At line 290, if the clone fails, the error handler logs the full repoUrl including the token:
logger.error('Failed to clone repository', { repoUrl });Even though the structured logger is used, this means the token is written to whatever log transport is configured (files, stdout, log aggregation services).
Impact
CRITICAL — Credential exposure. An attacker with access to:
- The server's process table (e.g., via a compromised co-tenanted container)
- Server logs (e.g., via a log aggregation service with loose access controls)
- Shell history files on the server
...can extract the GitHub PAT and gain the same level of repository access as the token permits.
Location
app/api/architecture/route.ts:279-281, 290
Suggested Fix
Replace the token-in-URL approach with one of:
- Git credential helper: Store the token in a
.git-credentials file or use a credential helper that Git reads from a secure store
- Environment variable substitution: Use
git clone https://github.com/${fullName}.git and set GIT_ASKPASS to a script that outputs the token when prompted
- Token redaction in logging: At minimum, sanitize the
repoUrl before passing it to the logger:
const safeUrl = repoUrl.replace(process.env.GITHUB_TOKEN!, '[REDACTED]');
logger.error('Failed to clone repository', { repoUrl: safeUrl });
Description
In
app/api/architecture/route.tsat lines 279-281, a GitHub Personal Access Token (PAT) is embedded directly into a git clone URL:This presents two distinct exposure vectors:
1. Process table exposure: The
git clonecommand is executed as a subprocess. On Linux/Unix systems, the full command line (including the URL with the embedded token) is visible viaps auxto any user on the system. In containerized environments, this can be visible from the host.2. Error log exposure: At line 290, if the clone fails, the error handler logs the full
repoUrlincluding the token:Even though the structured logger is used, this means the token is written to whatever log transport is configured (files, stdout, log aggregation services).
Impact
CRITICAL — Credential exposure. An attacker with access to:
...can extract the GitHub PAT and gain the same level of repository access as the token permits.
Location
app/api/architecture/route.ts:279-281, 290Suggested Fix
Replace the token-in-URL approach with one of:
.git-credentialsfile or use a credential helper that Git reads from a secure storegit clone https://github.com/${fullName}.gitand setGIT_ASKPASSto a script that outputs the token when promptedrepoUrlbefore passing it to the logger: