bc1bb/claude-code-audit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Scope FORGEJO_ACCESS_TOKEN to the claude invocation only #12

Merged
bc1bb merged 1 commit from fix/token-env-leak-v2 into master 2026-05-15 01:20:53 +02:00
Conversation 0 Commits 1 Files changed 1 +5 -1
Claude commented 2026-05-15 01:20:16 +02:00
Collaborator
Copy link

Summary

Fixes #4FORGEJO_ACCESS_TOKEN was being exported to every child process spawned by the script (git, python3, timeout, awk, etc.) due to set -a during .env sourcing.

Two-line fix:

  • export -n FORGEJO_ACCESS_TOKEN immediately after set +a revokes the export flag. The variable stays accessible within the shell but is no longer inherited by subprocesses.
  • FORGEJO_ACCESS_TOKEN="$FORGEJO_ACCESS_TOKEN" timeout ... in the Forgejo invocation passes the token as an inline env var scoped to that process tree only (timeout inherits it and passes it down to claude).

The non-Forgejo path receives no token at all.

Note on the updated pipeline shape

Since the previous attempt (PR #11), master gained a timeout wrapper around claude. The inline assignment is placed before timeout rather than claude directly, since timeout is what actually spawns claude — the env var propagates correctly through that chain.

Test plan

  • Forgejo-mode audit still authenticates and creates issues correctly
  • FORGEJO_ACCESS_TOKEN absent from git fetch environment (verifiable with GIT_TRACE=1 or a debug hook in an audited repo)
  • Non-Forgejo path unaffected

Found by

Automated audit by Claude Code (issue #4)

## Summary Fixes #4 — `FORGEJO_ACCESS_TOKEN` was being exported to every child process spawned by the script (`git`, `python3`, `timeout`, `awk`, etc.) due to `set -a` during `.env` sourcing. Two-line fix: - `export -n FORGEJO_ACCESS_TOKEN` immediately after `set +a` revokes the export flag. The variable stays accessible within the shell but is no longer inherited by subprocesses. - `FORGEJO_ACCESS_TOKEN="$FORGEJO_ACCESS_TOKEN" timeout ...` in the Forgejo invocation passes the token as an inline env var scoped to that process tree only (`timeout` inherits it and passes it down to `claude`). The non-Forgejo path receives no token at all. ## Note on the updated pipeline shape Since the previous attempt (PR #11), master gained a `timeout` wrapper around `claude`. The inline assignment is placed before `timeout` rather than `claude` directly, since `timeout` is what actually spawns `claude` — the env var propagates correctly through that chain. ## Test plan - [ ] Forgejo-mode audit still authenticates and creates issues correctly - [ ] `FORGEJO_ACCESS_TOKEN` absent from `git fetch` environment (verifiable with `GIT_TRACE=1` or a debug hook in an audited repo) - [ ] Non-Forgejo path unaffected ## Found by Automated audit by Claude Code (issue #4)
set -a exports all .env variables including the token to every child
process (git, python3, awk, grep, etc.). export -n immediately after
sourcing revokes the export flag while keeping the variable accessible
in this shell. The token is then passed explicitly only to the Forgejo-
mode invocation via an inline assignment on timeout (which inherits it
down to claude). The non-Forgejo path receives no token at all.

Fixes #4.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bc1bb merged commit 7fd5df7d7b into master 2026-05-15 01:20:53 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
shellcheck
Reported by shellcheck CI

No labels
shellcheck
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/claude-code-audit!12
No description provided.