Skip to content

feat(security): add global tracing scrubber to prevent token exposure in logs#3

Open
alessandrostone wants to merge 1 commit intomainfrom
fix/token-exposure-security
Open

feat(security): add global tracing scrubber to prevent token exposure in logs#3
alessandrostone wants to merge 1 commit intomainfrom
fix/token-exposure-security

Conversation

@alessandrostone
Copy link
Copy Markdown
Contributor

@alessandrostone alessandrostone commented Nov 18, 2025

Summary

  • Implements comprehensive token sanitization using tracing-subscriber
  • Prevents GitHub installation tokens from leaking through git error messages
  • Automatically redacts all sensitive data across the entire application

Changes

  • New module: src/tracing_sanitizer.rs with regex-based sanitization
    • Detects and redacts GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
    • Sanitizes credentials in URLs (x-access-token, basic auth, Bearer tokens)
    • Implements MakeWriter trait for automatic log interception
  • Added tracing instrumentation to gitops.rs and app_auth.rs
  • Fixed async safety: Switched from std::sync::Mutex to tokio::sync::Mutex
  • Public API: Exposed init_tracing() and init_tracing_json() functions

Security Impact

🔒 Resolves critical vulnerability: Installation tokens embedded in git clone URLs (e.g., https://x-access-token:TOKEN@github.com/repo.git) were previously exposed in error messages when git commands failed. All tokens are now automatically redacted before logs are written.

Test Coverage

  • ✅ 18/18 tests passing (11 sanitizer + 4 integration + 3 doc tests)
  • ✅ 0 clippy warnings (with -D warnings enabled)
  • ✅ Comprehensive test suite covering all token types and edge cases

Example Output

Before: Error: git clone failed: https://x-access-token:ghs_16C7e42F292c6912E7710c838347Ae178B4a@github.com/repo.git

After: Error: git clone failed: https://x-access-token:[REDACTED]@github.com/repo.git

@alessandrostone
feat(security): add global tracing scrubber to prevent token exposure…
f68d4b1 
… in logs

  Implements automatic sanitization of GitHub tokens and credentials across
  all log output using tracing-subscriber. Prevents accidental exposure of:
  - GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
  - Credentials in URLs (x-access-token, basic auth)
  - Bearer tokens

  Resolves critical security vulnerability where installation tokens embedded
  in git URLs would leak through error messages.

- add tracing and tracing-subscriber to Cargo.toml
@alessandrostone alessandrostone force-pushed the fix/token-exposure-security branch from 9959249 to f68d4b1 Compare November 18, 2025 11:05
@alessandrostone alessandrostone requested a review from jsam November 18, 2025 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsam jsam jsam approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alessandrostone @jsam