Skip to content

security: GitHub token exposed in .git/config of cloned repositories #1026

New issue
New issue
Open
Open
security: GitHub token exposed in .git/config of cloned repositories#1026
@myakove

Description

@myakove
myakove
opened on Mar 12, 2026

Summary

When the server clones repositories, it embeds the GitHub token directly in the clone URL, leaving it exposed in .git/config of every cloned repo.

Problem / Motivation

The current cloning mechanism embeds the GitHub token directly in the clone URL:

clone_url_with_token = clone_url.replace("https://", f"https://{github_token}@")
git clone {clone_url_with_token} {clone_repo_dir}

This means .git/config in every cloned repo contains the raw token:

[remote "origin"]
    url = https://ghp_abc123token@github.com/org/repo.git

Risk

Any process that runs inside the cloned repository with filesystem access can read .git/config and extract the token. This includes:

  • AI CLI tools (Claude, Gemini, Cursor) running with permissive flags
  • Custom check run commands
  • Tox/pre-commit executions
  • Any code in the repository itself during builds

With AI features that grant filesystem access (--dangerously-skip-permissions, --yolo, --force), a malicious PR author could craft content that tricks the AI into reading and exfiltrating the token via prompt injection.

Requirements

  1. Remove GitHub token from .git/config after cloning
  2. Use a secure credential delivery mechanism for subsequent git operations
  3. Ensure all existing clone/fetch/push operations continue to work

Suggested Solutions

  1. Git credential helper — Use git credential store or git credential cache instead of embedding tokens in URLs
  2. Remove token from config after clone — Run git remote set-url origin <clean-url> after cloning, use token only for fetch/push via env vars
  3. SSH URLs — Use SSH keys instead of HTTPS tokens
  4. GIT_ASKPASS — Use a script that provides the token via GIT_ASKPASS environment variable

Deliverables

  • Code changes to remove token from .git/config
  • Implement secure credential delivery mechanism
  • Add/update tests
  • Update CLAUDE.md (if architectural patterns change)

Notes

This is a pre-existing architectural issue affecting all operations that run in cloned repos, not specific to any single feature. The scope covers all clone operations in webhook_server/libs/github_api.py.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions