sec: token/secret leak in verbose logging + shell injection in sub_package_utils #25
Description
Summary
Four-agent audit identified 3 CRITICAL and 2 HIGH severity security issues.
CRITICAL Issues
1. Token leak in verbose mode (process_runner.dart:29)
CiProcessRunner.exec() logs all command arguments when --verbose is used:
if (verbose) Logger.info(' \$ $executable ${args.join(" ")}');When create_release_command.dart:297 sets git remote URL with token:
['remote', 'set-url', 'origin', 'https://x-access-token:$ghToken@github.com/$remoteRepo.git']...the token appears in logs. Same in manage_cicd.dart:2066.
2. Shell injection via unquoted $path (sub_package_utils.dart:92,109)
User-controlled sub-package paths embedded directly in shell strings:
CiProcessRunner.runSync('git log $logRange --oneline --no-merges -- $path', repoRoot);
CiProcessRunner.runSync('git diff --stat $diffRange -- $path', repoRoot);If path contains shell metacharacters, arbitrary commands execute.
3. Shell injection via unquoted $prevTag (sub_package_utils.dart:67)
prevTag (from version detection) embedded in shell strings without validation:
final diffRange = prevTag.isNotEmpty ? '$prevTag..HEAD' : '...';HIGH Issues
4. Silent error swallowing (release_utils.dart:78,143)
- Contributors JSON parse failure silently returns empty list
- GitHub API failures silently ignored during release notes
5. Inconsistent token masking in CI template
- Release workflow uses
env:variable masking (good) - CI workflow inlines tokens in
run:blocks (bad)
Fix Plan
- Add
_redactArgs()to CiProcessRunner that masks tokens in log output - Convert
CiProcessRunner.runSync()shell strings toProcess.runSync()with array args - Validate
prevTagformat before embedding in commands - Add
Logger.warn()for caught exceptions in release_utils - Standardize token masking via
env:blocks in CI skeleton template