bc1bb/claude-code-audit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

FORGEJO_ACCESS_TOKEN unnecessarily exported to all subprocess environments via set -a #4

New issue
Closed
opened 2026-05-14 21:32:14 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:32:14 +02:00
Collaborator
Copy link

Problem

audit.sh uses set -a before sourcing .env, which automatically exports every variable — including FORGEJO_ACCESS_TOKEN — to the environment of all child processes spawned during the script's lifetime. This includes git, python3, awk, grep, sed, wc, and any other utilities called throughout the script, most of which have no need for the token.

Location

audit.sh, line 55 (set -a) and line 57 (set +a), combined with all subsequent child process invocations (e.g., git -C "$repo" fetch, python3 -u -c ..., awk, etc.)

Risk

On Linux, a process's environment is visible via /proc/<pid>/environ to any process running as the same user. Sensitive variables exported to short-lived subprocesses increase the window and surface area during which the token could be read by a co-resident process. Additionally, if any child process ever forks into an attacker-controlled context (e.g., a malicious git hook in an audited repository), the token is immediately available in that context's environment.

Suggested fix direction

Use set +a immediately after sourcing .env (already done), then explicitly pass FORGEJO_ACCESS_TOKEN only to the claude invocation that requires it, using env FORGEJO_ACCESS_TOKEN="$FORGEJO_ACCESS_TOKEN" claude ... rather than relying on the inherited environment. Alternatively, unset the token after the claude call completes.

Severity

minor

Found by

Automated audit by Claude Code

## Problem `audit.sh` uses `set -a` before sourcing `.env`, which automatically exports every variable — including `FORGEJO_ACCESS_TOKEN` — to the environment of all child processes spawned during the script's lifetime. This includes `git`, `python3`, `awk`, `grep`, `sed`, `wc`, and any other utilities called throughout the script, most of which have no need for the token. ## Location `audit.sh`, line 55 (`set -a`) and line 57 (`set +a`), combined with all subsequent child process invocations (e.g., `git -C "$repo" fetch`, `python3 -u -c ...`, `awk`, etc.) ## Risk On Linux, a process's environment is visible via `/proc/<pid>/environ` to any process running as the same user. Sensitive variables exported to short-lived subprocesses increase the window and surface area during which the token could be read by a co-resident process. Additionally, if any child process ever forks into an attacker-controlled context (e.g., a malicious git hook in an audited repository), the token is immediately available in that context's environment. ## Suggested fix direction Use `set +a` immediately after sourcing `.env` (already done), then explicitly pass `FORGEJO_ACCESS_TOKEN` only to the `claude` invocation that requires it, using `env FORGEJO_ACCESS_TOKEN="$FORGEJO_ACCESS_TOKEN" claude ...` rather than relying on the inherited environment. Alternatively, unset the token after the `claude` call completes. ## Severity minor ## Found by Automated audit by Claude Code
bc1bb closed this issue 2026-05-15 01:20:53 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/state-file-race
fix/token-env-leak-v2
fix/token-env-leak
No results found.
Labels
Clear labels   
shellcheck
Reported by shellcheck CI

No labels
shellcheck
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/claude-code-audit#4
No description provided.