Skip to content

🛡️ Sentinel: [HIGH] Fix sensitive data leakage in publish flow and regex injection#110

Open
calionauta wants to merge 1 commit into
mainfrom
sentinel/fix-publish-exclusion-and-regex-11762915296613967833
Open

🛡️ Sentinel: [HIGH] Fix sensitive data leakage in publish flow and regex injection#110
calionauta wants to merge 1 commit into
mainfrom
sentinel/fix-publish-exclusion-and-regex-11762915296613967833

Conversation

@calionauta

Copy link
Copy Markdown
Owner

🚨 Severity: HIGH
💡 Vulnerability:

  1. Incomplete file exclusion during the publish process allowed sensitive directories (e.g., sessions/) and files (e.g., models.json) to be copied to the public share repository.
  2. Regex validation for skill names used the vulnerable $ anchor, allowing trailing newlines which could potentially be used for path traversal or other bypasses.

🎯 Impact: Sensitive user data, including sessions and local configurations, could be leaked when sharing skills or agents publicly. Newline injection could bypass security checks.

🔧 Fix:

  1. Replaced the custom _ignore_func with shutil.ignore_patterns in git_publish.py and expanded the list of default ignore patterns.
  2. Updated skill name validation regex to use the \Z anchor for strict end-of-string matching in local_source.py and external_source.py.

✅ Verification:

  • Verified file exclusion with a reproduction script.
  • Verified regex fix with python one-liners.
  • Added comprehensive regression tests in tests/test_publish_security.py.
  • All tests (38 total) passed.

PR created automatically by Jules for task 11762915296613967833 started by @renatocaliari

…ection

- Replace broken custom ignore logic with shutil.ignore_patterns
- Expand DEFAULT_IGNORE_PATTERNS to include secrets and api_keys
- Use \Z anchor in skill name validation to prevent newline injection
- Add security regression tests for publish flow

Co-authored-by: renatocaliari <1719651+renatocaliari@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses security vulnerabilities by updating skill name validation regex patterns to use \Z instead of $ to prevent trailing newline bypasses, and replacing a custom, error-prone file exclusion function with standard shutil.ignore_patterns to ensure sensitive files are correctly ignored during publishing. Additionally, new security tests were added. The reviewer recommended expanding the list of ignored patterns to exclude common directories and files like virtual environments, Python bytecode caches, IDE configurations, and OS metadata to prevent leaking local configuration or bloating the repository.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +28 to +29
'*.secret', '*.token', 'secrets', 'credentials',
'tokens', 'api_keys', 'mcp-secrets',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

While the added ignore patterns for secrets and credentials are a great security improvement, there are several other common directories and files that can leak sensitive local configuration, environment details, or unnecessary build/cache artifacts.

Specifically, it is highly recommended to exclude:

  • Virtual Environments (.venv, venv): Can contain local binaries, scripts, and configuration files that might leak sensitive paths or credentials, and they significantly bloat the published repository.
  • Python Bytecode Cache (__pycache__, *.pyc): Unnecessary compiled files that shouldn't be published.
  • IDE/Editor Configurations (.vscode, .idea): Often contain local workspace settings, task definitions, or launch configurations that might leak local paths or environment variables.
  • OS Metadata (.DS_Store): macOS system files that are unnecessary and clutter the repository.
    '*.secret', '*.token', 'secrets', 'credentials',
    'tokens', 'api_keys', 'mcp-secrets',
    '.venv', 'venv', '__pycache__', '*.pyc',
    '.vscode', '.idea', '.DS_Store',

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant