Skip to content

🛡️ Sentinel: [HIGH] Harden Publish Flow and Prevent Token Leakage#119

Open
calionauta wants to merge 1 commit into
mainfrom
sentinel/harden-publish-and-sync-15149898864756280389
Open

🛡️ Sentinel: [HIGH] Harden Publish Flow and Prevent Token Leakage#119
calionauta wants to merge 1 commit into
mainfrom
sentinel/harden-publish-and-sync-15149898864756280389

Conversation

@calionauta

Copy link
Copy Markdown
Owner

🛡️ Sentinel Security Hardening Report

🚨 Severity: HIGH

💡 Vulnerabilities Identified:

  1. Regex Newline Injection: Skill name validation used the $ anchor, which matches before a trailing newline, potentially allowing bypasses if validated strings were passed to shell commands.
  2. Brittle File Exclusion: The publish flow used manual string matching for ignoring files, which was prone to errors and missed some sensitive directories.
  3. Symlink Content Leakage: During the public publish flow, shutil operations followed symlinks, which could result in private files from outside the bundle being copied into the public repository.
  4. Token Leakage in Exceptions: subprocess.CalledProcessError stored the full command line (including URLs with tokens) in its cmd attribute, leaking secrets if the exception was printed or logged.

🔧 Fixes Implemented:

  • Secure Regex Anchors: Replaced all occurrences of $ with \Z in security-critical validation patterns in local_source.py and external_source.py.
  • Robust Pattern Matching: Refactored _ignore_func in git_publish.py to use fnmatch.filter for reliable glob and literal matching.
  • Symlink Protection: Configured shutil.copytree(symlinks=True) and shutil.copy2(follow_symlinks=False) in the publish flow to ensure symlinks are preserved as links and not traversed.
  • Command Sanitization: Introduced _sanitize_git_args to redact GitHub tokens from command lists before they are passed to exception constructors.

✅ Verification:

  • Created a new security test suite: tests/test_publish_security_sentinel.py.
  • Verified all new and existing security tests pass using python3 -m pytest.
  • Performed manual validation of regex behavior and token redaction.

This contribution follows the Sentinel Protocol for high-impact security hardening.


PR created automatically by Jules for task 15149898864756280389 started by @calionauta

- Fix regex newline injection by replacing $ with \Z in skill validation.
- Harden publish exclusion logic using fnmatch.filter.
- Prevent symlink content leakage by preserving links during publish.
- Redact tokens from git command arguments in CalledProcessError exceptions.
- Add comprehensive security regression tests.

Co-authored-by: calionauta <1719651+calionauta@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces security enhancements to prevent token leakage in CalledProcessError and directory traversal via symlinks during agent/skill publishing. Key changes include sanitizing git command arguments and outputs, avoiding following symlinks during file copies, and updating regex patterns to use \Z instead of $ to prevent newline injection. Feedback on the changes highlights two potential TypeError bugs: one where a subprocess.run call lacks text=True (causing bytes to be passed to the string-based sanitization function), and another where _sanitize_git_args should be made more robust to handle non-string or bytes arguments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +282 to +288
subprocess.run(
["git", "remote", "add", "origin", repo_url],
cwd=tmp_dir,
check=True,
capture_output=True,
timeout=10,
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The subprocess.run call is missing text=True (or universal_newlines=True). Without it, stdout and stderr are returned as bytes rather than str. When a CalledProcessError is raised, passing e.stdout and e.stderr to _sanitize_git_output will result in a TypeError because the sanitization function expects string inputs. Adding text=True ensures the outputs are strings and prevents this crash.

Suggested change
subprocess.run(
["git", "remote", "add", "origin", repo_url],
cwd=tmp_dir,
check=True,
capture_output=True,
timeout=10,
)
subprocess.run(
["git", "remote", "add", "origin", repo_url],
cwd=tmp_dir,
check=True,
capture_output=True,
text=True,
timeout=10,
)

Comment thread src/agent_sync/sync.py
Comment on lines +53 to +61
def _sanitize_git_args(args: list[str] | str) -> list[str] | str:
"""Redact tokens from git command arguments.

Prevents token leakage in CalledProcessError.cmd which is often
printed or logged.
"""
if isinstance(args, str):
return _sanitize_git_output(args)
return [_sanitize_git_output(arg) for arg in args]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The _sanitize_git_args function assumes that elements of args are always strings. However, subprocess.run can be called with bytes or other objects (such as Path objects) in the command list. If args contains bytes or non-string objects, _sanitize_git_output will raise a TypeError when performing regex substitution. Converting non-string elements to strings and decoding bytes makes this utility much more robust.

Suggested change
def _sanitize_git_args(args: list[str] | str) -> list[str] | str:
"""Redact tokens from git command arguments.
Prevents token leakage in CalledProcessError.cmd which is often
printed or logged.
"""
if isinstance(args, str):
return _sanitize_git_output(args)
return [_sanitize_git_output(arg) for arg in args]
def _sanitize_git_args(args: list[str] | str) -> list[str] | str:
"""Redact tokens from git command arguments.
Prevents token leakage in CalledProcessError.cmd which is often
printed or logged.
"""
if isinstance(args, (str, bytes)):
text = args.decode("utf-8", errors="ignore") if isinstance(args, bytes) else args
return _sanitize_git_output(text)
return [
_sanitize_git_output(arg.decode("utf-8", errors="ignore") if isinstance(arg, bytes) else str(arg))
for arg in args
]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant