From 181b9ef73481ba75e083aa31f571e0ea08012e6a Mon Sep 17 00:00:00 2001 From: Shaun Arman Date: Sun, 12 Apr 2026 18:03:17 -0500 Subject: [PATCH] =?UTF-8?q?fix:=20harden=20pr-review=20workflow=20?= =?UTF-8?q?=E2=80=94=20secret=20redaction,=20log=20safety,=20auth=20header?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace flawed sed-based redaction with grep -v line-removal covering JS/YAML assignments, Authorization headers, AWS keys (AKIA…), Slack tokens (xox…), GitHub tokens (gh[opsu]_…), URLs with embedded credentials, and long Base64 strings - Add -c flag to jq -n when building Ollama request body (compact JSON) - Remove jq . full response dump to prevent LLM-echoed secrets in logs - Change Gitea API Authorization header from `token` to `Bearer` --- .gitea/workflows/pr-review.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/pr-review.yml b/.gitea/workflows/pr-review.yml index 39544c94..e72f3c4c 100644 --- a/.gitea/workflows/pr-review.yml +++ b/.gitea/workflows/pr-review.yml @@ -58,9 +58,10 @@ jobs: echo "WARNING: Binary file changes detected — they will be excluded from analysis" fi DIFF_CONTENT=$(head -n 500 /tmp/pr_diff.txt \ - | sed -E 's/(password|token|secret|api_key|private_key)[[:space:]]*[=:][[:space:]]+([^$[:space:]][^[:space:]]*)/\1=[REDACTED]/gi') + | grep -v -E '^[+-].*(password[[:space:]]*[=:"'"'"']|token[[:space:]]*[=:"'"'"']|secret[[:space:]]*[=:"'"'"']|api_key[[:space:]]*[=:"'"'"']|private_key[[:space:]]*[=:"'"'"']|Authorization:[[:space:]]|AKIA[A-Z0-9]{16}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|gh[opsu]_[A-Za-z0-9_]{36,}|https?://[^@[:space:]]+:[^@[:space:]]+@)' \ + | grep -v -E '^[+-].*[A-Za-z0-9+/]{40,}={0,2}([^A-Za-z0-9+/=]|$)') PROMPT="Analyze the following code changes for correctness, security issues, and best practices. PR Title: ${PR_TITLE}\n\nDiff:\n${DIFF_CONTENT}\n\nProvide a review with: 1) Summary, 2) Bugs/errors, 3) Security issues, 4) Best practices. Give specific comments with suggested fixes." - BODY=$(jq -n \ + BODY=$(jq -cn \ --arg model "qwen3-coder-next:latest" \ --arg content "$PROMPT" \ '{model: $model, messages: [{role: "user", content: $content}], stream: false}') @@ -84,7 +85,6 @@ jobs: cat /tmp/ollama_response.json exit 1 fi - jq . /tmp/ollama_response.json REVIEW=$(jq -r '.choices[0].message.content // empty' /tmp/ollama_response.json) if [ -z "$REVIEW" ]; then echo "ERROR: No content in Ollama response" @@ -118,7 +118,7 @@ jobs: HTTP_CODE=$(curl -s --max-time 30 --connect-timeout 10 \ -o /tmp/review_post_response.json -w "%{http_code}" \ -X POST "https://gogs.tftsr.com/api/v1/repos/${REPOSITORY}/pulls/${PR_NUMBER}/reviews" \ - -H "Authorization: token $TF_TOKEN" \ + -H "Authorization: Bearer $TF_TOKEN" \ -H "Content-Type: application/json" \ -d "$BODY") echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] Post review HTTP status: $HTTP_CODE"