Summary
When the server clones repositories, it embeds the GitHub token directly in the clone URL, leaving it exposed in .git/config of every cloned repo.
Problem / Motivation
The current cloning mechanism embeds the GitHub token directly in the clone URL:
clone_url_with_token = clone_url.replace("https://", f"https://{github_token}@")
git clone {clone_url_with_token} {clone_repo_dir}This means .git/config in every cloned repo contains the raw token:
[remote "origin"]
url = https://ghp_abc123token@github.com/org/repo.git
Risk
Any process that runs inside the cloned repository with filesystem access can read .git/config and extract the token. This includes:
- AI CLI tools (Claude, Gemini, Cursor) running with permissive flags
- Custom check run commands
- Tox/pre-commit executions
- Any code in the repository itself during builds
With AI features that grant filesystem access (--dangerously-skip-permissions, --yolo, --force), a malicious PR author could craft content that tricks the AI into reading and exfiltrating the token via prompt injection.
Requirements
- Remove GitHub token from
.git/config after cloning
- Use a secure credential delivery mechanism for subsequent git operations
- Ensure all existing clone/fetch/push operations continue to work
Suggested Solutions
- Git credential helper — Use
git credential store or git credential cache instead of embedding tokens in URLs
- Remove token from config after clone — Run
git remote set-url origin <clean-url> after cloning, use token only for fetch/push via env vars
- SSH URLs — Use SSH keys instead of HTTPS tokens
- GIT_ASKPASS — Use a script that provides the token via
GIT_ASKPASS environment variable
Deliverables
Notes
This is a pre-existing architectural issue affecting all operations that run in cloned repos, not specific to any single feature. The scope covers all clone operations in webhook_server/libs/github_api.py.
Summary
When the server clones repositories, it embeds the GitHub token directly in the clone URL, leaving it exposed in
.git/configof every cloned repo.Problem / Motivation
The current cloning mechanism embeds the GitHub token directly in the clone URL:
This means
.git/configin every cloned repo contains the raw token:Risk
Any process that runs inside the cloned repository with filesystem access can read
.git/configand extract the token. This includes:With AI features that grant filesystem access (
--dangerously-skip-permissions,--yolo,--force), a malicious PR author could craft content that tricks the AI into reading and exfiltrating the token via prompt injection.Requirements
.git/configafter cloningSuggested Solutions
git credential storeorgit credential cacheinstead of embedding tokens in URLsgit remote set-url origin <clean-url>after cloning, use token only for fetch/push via env varsGIT_ASKPASSenvironment variableDeliverables
.git/configNotes
This is a pre-existing architectural issue affecting all operations that run in cloned repos, not specific to any single feature. The scope covers all clone operations in
webhook_server/libs/github_api.py.