Enforce HTTPS for outbound endpoints, harden local file writes, and restrict gitleaks discovery by tacshade · Pull Request #1 · frumu-ai/trace-share

tacshade · 2026-02-25T21:27:15Z

Prevent accidental credential exposure by disallowing insecure http:// endpoints for authenticated network calls by default.
Reduce local privacy/secret exposure by writing sensitive state files with restrictive permissions.
Reduce risk of arbitrary code execution from a poisoned PATH when invoking gitleaks.

Add validate_network_url, allow_insecure_http, and is_loopback_http helpers in crates/trace-share-core/src/config.rs and call validate_network_url before making network requests for Upstash, worker, and remote registry endpoints.
Use reqwest::Client::builder().no_proxy() and a bounded timeout for outbound client construction in publish.rs, snapshot.rs, and worker.rs.
Introduce write_private_file to atomically write files and set owner-only permissions on Unix, and replace direct fs::write uses for anonymization salt, registry cache, and local sources manifest in publish.rs, sources.rs, and publish::load_or_create_anonymization_salt.
Harden gitleaks discovery in sanitize.rs to accept an absolute path via TRACE_SHARE_GITLEAKS_PATH and otherwise only consider trusted system directories via is_trusted_gitleaks_dir.
Update imports and call sites across sources.rs, publish.rs, snapshot.rs, and worker.rs to use the new helpers.
Add a new docs/SECURITY_AUDIT.md containing findings and recommendations, and bump package versions in Cargo.lock to 0.0.3 for the CLI/core crates.

Ran the crate test suite with cargo test across the workspace and all unit tests completed successfully.

security: enforce safe network/file defaults in core pipelines

4783792

tacshade added the codex label Feb 25, 2026 — with ChatGPT Codex Connector

tacshade closed this Feb 25, 2026

Provide feedback