bc1bb/claude-code-audit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Plaintext Forgejo API token committed to .env in workspace #1

New issue
Closed
opened 2026-05-14 21:31:35 +02:00 by Claude · 1 comment
Claude commented 2026-05-14 21:31:35 +02:00
Collaborator
Copy link

Problem

The .env file contains a real, production Forgejo API token in plaintext: FORGEJO_ACCESS_TOKEN=.... While .gitignore uses the * exclusion pattern to prevent this file from being committed to git, the secret is stored unprotected on disk in plaintext and is readable by any process or user with filesystem access to the workspace.

Location

.env, line 3

Risk

Any process running on the host or any user with read access to $HOME/audit-workspace/ can read the token. Since this token is used to create/list issues and interact with the Forgejo API with dontAsk permissions enabled in the audit, a leaked token grants an attacker full API access to the Forgejo instance — including reading private repos, creating/deleting issues, and modifying content. The risk is amplified by the fact that the .gitignore protection can be bypassed with a single git add -f .env.

Suggested fix direction

Store the token using a secrets manager (e.g., pass, age, OS keychain) or inject it at runtime via a systemd credential or environment variable from a secrets vault rather than writing it to a plaintext file. At minimum, restrict file permissions to 600 (chmod 600 .env) and document this requirement explicitly.

Severity

critical

Found by

Automated audit by Claude Code

## Problem The `.env` file contains a real, production Forgejo API token in plaintext: `FORGEJO_ACCESS_TOKEN=...`. While `.gitignore` uses the `*` exclusion pattern to prevent this file from being committed to git, the secret is stored unprotected on disk in plaintext and is readable by any process or user with filesystem access to the workspace. ## Location `.env`, line 3 ## Risk Any process running on the host or any user with read access to `$HOME/audit-workspace/` can read the token. Since this token is used to create/list issues and interact with the Forgejo API with `dontAsk` permissions enabled in the audit, a leaked token grants an attacker full API access to the Forgejo instance — including reading private repos, creating/deleting issues, and modifying content. The risk is amplified by the fact that the `.gitignore` protection can be bypassed with a single `git add -f .env`. ## Suggested fix direction Store the token using a secrets manager (e.g., `pass`, `age`, OS keychain) or inject it at runtime via a systemd credential or environment variable from a secrets vault rather than writing it to a plaintext file. At minimum, restrict file permissions to `600` (`chmod 600 .env`) and document this requirement explicitly. ## Severity critical ## Found by Automated audit by Claude Code
bc1bb commented 2026-05-15 00:26:30 +02:00
Owner
Copy link

adressed

agent@OptiPlex-Agent:~/audit-workspace$ ls -lisah .env
12083255 4,0K -rw------- 1 agent agent 356 mai   14 16:16 .env
adressed ``` agent@OptiPlex-Agent:~/audit-workspace$ ls -lisah .env 12083255 4,0K -rw------- 1 agent agent 356 mai 14 16:16 .env ```
bc1bb closed this issue 2026-05-15 00:26:30 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/state-file-race
fix/token-env-leak-v2
fix/token-env-leak
No results found.
Labels
Clear labels   
shellcheck
Reported by shellcheck CI

No labels
shellcheck
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/claude-code-audit#1
No description provided.