🛡️ Sentinel: [CRITICAL] Fix command injection and secret leak in github-clone

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2024-10-24 - Secret Leakage in Node.js child_process errors
+**Vulnerability:** When executing shell commands (via `exec` or `execFile`) that contain secrets (like an embedded `oauth2:<token>@github.com` in a git clone URL), if the command fails, the `error.message` thrown by Node.js includes the full command string, exposing the secret. If this error is passed back in an API response (e.g. `return { error: error.message }`), the secret is leaked to the client.
+**Learning:** Node.js `child_process` utilities include the executed command (and its arguments) in the error object when a process exits with a non-zero code. This means we must always sanitize the `error.message` before returning it in any external response.
+**Prevention:** Always use regex or string replacement to redact secrets (e.g. `.replace(/oauth2:[^@]+@/g, 'oauth2:***@')`) from `error.message` when a shell command fails, or better yet, return a generic error message and log the real error server-side.

src/pages/api/github-clone.ts

@@ -1,12 +1,12 @@
 import type { APIRoute } from 'astro';
-import { exec } from 'node:child_process';
+import { execFile } from 'node:child_process';
 import util from 'node:util';
 import fs from 'node:fs';
 import path from 'node:path';
 import { getReposRootResolved } from '../../lib/forge-repos';
 import { getConfig } from '../../lib/config-db';
 
-const execPromise = util.promisify(exec);
+const execFileAsync = util.promisify(execFile);
 
 export const POST: APIRoute = async ({ request }) => {
   try {
@@ -16,6 +16,11 @@ export const POST: APIRoute = async ({ request }) => {
       return new Response(JSON.stringify({ error: 'repoUrl et repoName requis' }), { status: 400 });
     }
 
+    // 🛡️ Security: Prevent flag injection by ensuring inputs don't start with a hyphen
+    if (repoUrl.startsWith('-') || repoName.startsWith('-')) {
+      return new Response(JSON.stringify({ error: 'Les paramètres ne peuvent pas commencer par un tiret' }), { status: 400 });
+    }
+
     const githubToken = await getConfig('githubToken', true);
     if (!githubToken || githubToken.trim() === '') {
       return new Response(JSON.stringify({ error: 'Jeton GitHub manquant' }), { status: 400 });
@@ -33,7 +38,9 @@ export const POST: APIRoute = async ({ request }) => {
     const authUrl = repoUrl.replace('https://', `https://oauth2:${githubToken}@`);
 
     // Clone the repository
-    const { stdout, stderr } = await execPromise(`git clone ${authUrl} ${repoName}`, { cwd: reposRoot });
+    // 🛡️ Security: Use execFile with array instead of exec with string concatenation
+    // to prevent command injection
+    const { stdout, stderr } = await execFileAsync('git', ['clone', authUrl, repoName], { cwd: reposRoot });
 
     // Try to auto-sync it into the database
     try {
@@ -53,7 +60,11 @@ export const POST: APIRoute = async ({ request }) => {
     });
 
   } catch (error: any) {
-    return new Response(JSON.stringify({ error: error.message || 'Erreur lors du clonage' }), {
+    // 🛡️ Security: Sanitize error message to prevent leaking GitHub token to the client
+    // since Node.js exec/execFile errors include the command executed
+    const safeErrorMsg = (error.message || 'Erreur lors du clonage').replace(/oauth2:[^@]+@/g, 'oauth2:***@');
+
+    return new Response(JSON.stringify({ error: safeErrorMsg }), {
       status: 500,
       headers: { 'Content-Type': 'application/json' },
     });