Skip to content

fix: prevent GitHub PAT leak and move Gemini API key to header in architecture endpoint#6235

Merged
JhaSourav07 merged 1 commit into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/architecture-pat-leak-and-key-exposure
Jun 21, 2026
Merged

fix: prevent GitHub PAT leak and move Gemini API key to header in architecture endpoint#6235
JhaSourav07 merged 1 commit into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/architecture-pat-leak-and-key-exposure

Conversation

@atul-upadhyay-7

@atul-upadhyay-7 atul-upadhyay-7 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes two credential exposure vulnerabilities in the unauthenticated POST /api/architecture endpoint:

  1. GitHub PAT leak to server logs — The server's GitHub PAT was embedded in the git clone URL (x-access-token:{token}@github.com/...). When clone failed, git's stderr output included the full URL with the token, logged verbatim via console.error.
  2. Gemini API key in URL query parameter — The GEMINI_API_KEY was passed as a URL query parameter, exposing it to proxy/CDN logs and outbound request logs.

Changes

1. GitHub PAT — Use GIT_ASKPASS instead of URL embedding

Instead of embedding the token in the clone URL, we now use GIT_ASKPASS to provide credentials to git. This keeps the token out of process arguments, shell history, and error output.

2. Error sanitization

Added sanitizeError() to strip x-access-token:...@ patterns from error messages before logging, as a defense-in-depth measure.

3. Gemini API key — Move from URL to header

Moved the Gemini API key from the URL query parameter to the x-goog-api-key request header to prevent exposure to proxy/CDN logs.

Testing

  • Lint: 0 errors
  • Typecheck: no new errors

Fixes #6233

Human Coded

@atul-upadhyay-7
fix: prevent GitHub PAT leak and move Gemini API key to header in arc…
4b874c4 
…hitecture endpoint

The POST /api/architecture endpoint embedded the server's GitHub PAT
directly into the git clone URL (x-access-token:{token}@github.com/...).
When clone failed, git's stderr output included the full URL with the
token, which was logged verbatim via console.error — leaking the PAT
to server logs accessible to anyone with log access.

Fixes:
1. Uses GIT_ASKPASS to provide credentials to git instead of embedding
   them in the URL, keeping the token out of process arguments and
   error output.
2. Adds sanitizeError() to strip x-access-token patterns from error
   messages before logging.
3. Moves GEMINI_API_KEY from URL query parameter to x-goog-api-key
   request header to prevent exposure to proxy/CDN logs.

Fixes JhaSourav07#6233

Human Coded
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

@atul-upadhyay-7 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3697.00 KB 3697.00 KB 0 B
Total CSS 296.58 KB 296.58 KB 0 B

@Aamod-Dev Aamod-Dev added GSSoC 2026 mentor:Aamod007 level:critical High-priority or mission-critical contributions affecting core systems, security, or infrastructure quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security bug Something isn't working labels Jun 21, 2026
Aamod-Dev
Aamod-Dev approved these changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent security fixes! Moving the GitHub PAT out of the clone URL and into GIT_ASKPASS in app/api/architecture/route.ts is the standard way to prevent credential leakage in git stderr. The sanitizeError() helper adds a great layer of defense-in-depth for the server logs. Moving the Gemini API key to the header x-goog-api-key is also best practice. Approved!

@JhaSourav07 JhaSourav07 added the gssoc:approved PR has been reviewed and accepted for valid contribution points label Jun 21, 2026
@JhaSourav07 JhaSourav07 merged commit 4616131 into JhaSourav07:main Jun 21, 2026
11 of 12 checks passed
@github-actions github-actions Bot added this to the GSSoC 2026 milestone Jun 21, 2026
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

🎉 Congratulations @atul-upadhyay-7! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨

@github-actions github-actions Bot added the type:bug Something isn't working as expected label Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Aamod-Dev approved these changes

Assignees

No one assigned

Labels

bug Something isn't working gssoc:approved PR has been reviewed and accepted for valid contribution points GSSoC 2026 level:critical High-priority or mission-critical contributions affecting core systems, security, or infrastructure mentor:Aamod007 quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security type:bug Something isn't working as expected

Projects

None yet

Milestone

GSSoC 2026

Development

Successfully merging this pull request may close these issues.

Unauthenticated /api/architecture endpoint leaks GitHub PAT to server logs via failed git clone

3 participants

@atul-upadhyay-7 @Aamod-Dev @JhaSourav07