From a85baa33f7c81bf6aa3066cb79275e2131ce5b26 Mon Sep 17 00:00:00 2001 From: riyadhafraa <49757212-riyadhafraa@users.noreply.replit.com> Date: Tue, 19 May 2026 12:25:17 +0000 Subject: [PATCH] Improve script to prevent leaking sensitive tokens Sanitize remote URLs to prevent token leaks and automatically inject GITEA_TOKEN into push URLs. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 77cfe984-2c65-4152-bb7a-0df28274fe66 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: db8b7fbd-83f8-4911-a71a-e6e5b6f8f1fd Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/c3c252e4-c83d-40ca-9fff-99a3ea60701e/77cfe984-2c65-4152-bb7a-0df28274fe66/eDmI6vt Replit-Helium-Checkpoint-Created: true --- scripts/publish-to-gitea.sh | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/scripts/publish-to-gitea.sh b/scripts/publish-to-gitea.sh index 32d8f6b6..4ca0a3dc 100755 --- a/scripts/publish-to-gitea.sh +++ b/scripts/publish-to-gitea.sh @@ -39,11 +39,20 @@ if [[ -z "$GITEA_REMOTE_URL" ]]; then exit 1 fi +# Strip any embedded "user:token@" so we never echo credentials. Used for +# all human-facing prints; the real $GITEA_REMOTE_URL (with token) is still +# what gets handed to git for the actual push. +sanitize_url() { + # shellcheck disable=SC2001 + echo "$1" | sed -E 's#^(https?://)[^/@]+@#\1#' +} +SAFE_REMOTE_URL="$(sanitize_url "$GITEA_REMOTE_URL")" + echo "================================================================" echo " Publish-to-Gitea — sanitized history mirror" echo "----------------------------------------------------------------" echo " Source repo: $REPO_ROOT" -echo " Target remote: $GITEA_REMOTE_URL" +echo " Target remote: $SAFE_REMOTE_URL" echo " Target branch: $GITEA_BRANCH" echo " New author: $AUTHOR_NAME <$AUTHOR_EMAIL>" echo " Mode: $([[ $PUSH == 1 ]] && echo 'PUSH (will force-push)' || echo 'DRY RUN (no push)')" @@ -133,12 +142,20 @@ echo " git --git-dir=$MIRROR log --all --stat | less" echo if [[ $PUSH -eq 1 ]]; then - echo "Force-pushing branch '$GITEA_BRANCH' to $GITEA_REMOTE_URL ..." - git --git-dir="$MIRROR" remote add gitea "$GITEA_REMOTE_URL" 2>/dev/null || \ - git --git-dir="$MIRROR" remote set-url gitea "$GITEA_REMOTE_URL" + # Auto-inject GITEA_TOKEN into the push URL if the remote is https:// + # and has no credentials already. Keeps the token out of any echoed + # output: $PUSH_URL is only ever passed to git, never printed. + PUSH_URL="$GITEA_REMOTE_URL" + if [[ -n "${GITEA_TOKEN:-}" && "$PUSH_URL" =~ ^https?:// && ! "$PUSH_URL" =~ @ ]]; then + PUSH_USER="${GITEA_USERNAME:-rafraa}" + PUSH_URL="$(echo "$PUSH_URL" | sed -E "s#^(https?://)#\1${PUSH_USER}:${GITEA_TOKEN}@#")" + fi + echo "Force-pushing branch '$GITEA_BRANCH' to $SAFE_REMOTE_URL ..." + git --git-dir="$MIRROR" remote add gitea "$PUSH_URL" 2>/dev/null || \ + git --git-dir="$MIRROR" remote set-url gitea "$PUSH_URL" git --git-dir="$MIRROR" push --force gitea "HEAD:refs/heads/$GITEA_BRANCH" echo - echo "Done. Open $GITEA_REMOTE_URL to verify." + echo "Done. Open $SAFE_REMOTE_URL to verify." else echo "DRY RUN complete — nothing was pushed." echo "Re-run with --push to publish: ./scripts/publish-to-gitea.sh --push"