🛡️ Sentinel: [HIGH] Harden Publish Flow and Prevent Token Leakage#119
🛡️ Sentinel: [HIGH] Harden Publish Flow and Prevent Token Leakage#119calionauta wants to merge 1 commit into
Conversation
- Fix regex newline injection by replacing $ with \Z in skill validation. - Harden publish exclusion logic using fnmatch.filter. - Prevent symlink content leakage by preserving links during publish. - Redact tokens from git command arguments in CalledProcessError exceptions. - Add comprehensive security regression tests. Co-authored-by: calionauta <1719651+calionauta@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Code Review
This pull request introduces security enhancements to prevent token leakage in CalledProcessError and directory traversal via symlinks during agent/skill publishing. Key changes include sanitizing git command arguments and outputs, avoiding following symlinks during file copies, and updating regex patterns to use \Z instead of $ to prevent newline injection. Feedback on the changes highlights two potential TypeError bugs: one where a subprocess.run call lacks text=True (causing bytes to be passed to the string-based sanitization function), and another where _sanitize_git_args should be made more robust to handle non-string or bytes arguments.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| subprocess.run( | ||
| ["git", "remote", "add", "origin", repo_url], | ||
| cwd=tmp_dir, | ||
| check=True, | ||
| capture_output=True, | ||
| timeout=10, | ||
| ) |
There was a problem hiding this comment.
The subprocess.run call is missing text=True (or universal_newlines=True). Without it, stdout and stderr are returned as bytes rather than str. When a CalledProcessError is raised, passing e.stdout and e.stderr to _sanitize_git_output will result in a TypeError because the sanitization function expects string inputs. Adding text=True ensures the outputs are strings and prevents this crash.
| subprocess.run( | |
| ["git", "remote", "add", "origin", repo_url], | |
| cwd=tmp_dir, | |
| check=True, | |
| capture_output=True, | |
| timeout=10, | |
| ) | |
| subprocess.run( | |
| ["git", "remote", "add", "origin", repo_url], | |
| cwd=tmp_dir, | |
| check=True, | |
| capture_output=True, | |
| text=True, | |
| timeout=10, | |
| ) |
| def _sanitize_git_args(args: list[str] | str) -> list[str] | str: | ||
| """Redact tokens from git command arguments. | ||
|
|
||
| Prevents token leakage in CalledProcessError.cmd which is often | ||
| printed or logged. | ||
| """ | ||
| if isinstance(args, str): | ||
| return _sanitize_git_output(args) | ||
| return [_sanitize_git_output(arg) for arg in args] |
There was a problem hiding this comment.
The _sanitize_git_args function assumes that elements of args are always strings. However, subprocess.run can be called with bytes or other objects (such as Path objects) in the command list. If args contains bytes or non-string objects, _sanitize_git_output will raise a TypeError when performing regex substitution. Converting non-string elements to strings and decoding bytes makes this utility much more robust.
| def _sanitize_git_args(args: list[str] | str) -> list[str] | str: | |
| """Redact tokens from git command arguments. | |
| Prevents token leakage in CalledProcessError.cmd which is often | |
| printed or logged. | |
| """ | |
| if isinstance(args, str): | |
| return _sanitize_git_output(args) | |
| return [_sanitize_git_output(arg) for arg in args] | |
| def _sanitize_git_args(args: list[str] | str) -> list[str] | str: | |
| """Redact tokens from git command arguments. | |
| Prevents token leakage in CalledProcessError.cmd which is often | |
| printed or logged. | |
| """ | |
| if isinstance(args, (str, bytes)): | |
| text = args.decode("utf-8", errors="ignore") if isinstance(args, bytes) else args | |
| return _sanitize_git_output(text) | |
| return [ | |
| _sanitize_git_output(arg.decode("utf-8", errors="ignore") if isinstance(arg, bytes) else str(arg)) | |
| for arg in args | |
| ] |
🛡️ Sentinel Security Hardening Report
🚨 Severity: HIGH
💡 Vulnerabilities Identified:
$anchor, which matches before a trailing newline, potentially allowing bypasses if validated strings were passed to shell commands.publishflow,shutiloperations followed symlinks, which could result in private files from outside the bundle being copied into the public repository.subprocess.CalledProcessErrorstored the full command line (including URLs with tokens) in itscmdattribute, leaking secrets if the exception was printed or logged.🔧 Fixes Implemented:
$with\Zin security-critical validation patterns inlocal_source.pyandexternal_source.py._ignore_funcingit_publish.pyto usefnmatch.filterfor reliable glob and literal matching.shutil.copytree(symlinks=True)andshutil.copy2(follow_symlinks=False)in the publish flow to ensure symlinks are preserved as links and not traversed._sanitize_git_argsto redact GitHub tokens from command lists before they are passed to exception constructors.✅ Verification:
tests/test_publish_security_sentinel.py.python3 -m pytest.This contribution follows the Sentinel Protocol for high-impact security hardening.
PR created automatically by Jules for task 15149898864756280389 started by @calionauta