mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-13 03:33:15 +08:00
fix(skills): keep curl credentials out of argv (#2175)
* fix(skills): avoid curl credential argv leaks * test(ci): guard secret curl examples
This commit is contained in:
Kumario
@@ -0,0 +1,96 @@
|
||||
#!/usr/bin/env node
|
||||
/**
|
||||
* Guard agent-facing curl examples from exposing credentials in argv.
|
||||
*/
|
||||
|
||||
const assert = require('assert');
|
||||
const fs = require('fs');
|
||||
const path = require('path');
|
||||
|
||||
const repoRoot = path.resolve(__dirname, '..', '..');
|
||||
|
||||
const jiraDocs = [
|
||||
'skills/jira-integration/SKILL.md',
|
||||
'docs/ja-JP/skills/jira-integration/SKILL.md',
|
||||
'docs/zh-CN/skills/jira-integration/SKILL.md',
|
||||
];
|
||||
|
||||
const socialDocs = [
|
||||
'skills/social-publisher/SKILL.md',
|
||||
];
|
||||
|
||||
function test(name, fn) {
|
||||
try {
|
||||
fn();
|
||||
console.log(` ✓ ${name}`);
|
||||
return true;
|
||||
} catch (error) {
|
||||
console.log(` ✗ ${name}`);
|
||||
console.log(` Error: ${error.message}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function read(relativePath) {
|
||||
return fs.readFileSync(path.join(repoRoot, relativePath), 'utf8');
|
||||
}
|
||||
|
||||
function shellExamples(source) {
|
||||
const examples = [];
|
||||
const fencePattern = /```(?:bash|sh|shell)\r?\n([\s\S]*?)```/g;
|
||||
let match;
|
||||
|
||||
while ((match = fencePattern.exec(source)) !== null) {
|
||||
examples.push(match[1].replace(/\\\r?\n\s*/g, ' '));
|
||||
}
|
||||
|
||||
return examples.join('\n');
|
||||
}
|
||||
|
||||
function run() {
|
||||
console.log('\n=== Testing secret-safe curl examples ===\n');
|
||||
|
||||
let passed = 0;
|
||||
let failed = 0;
|
||||
|
||||
for (const relativePath of jiraDocs) {
|
||||
if (test(`${relativePath} keeps Jira credentials out of curl argv`, () => {
|
||||
const source = read(relativePath);
|
||||
const shell = shellExamples(source);
|
||||
|
||||
assert.match(shell, /jira_curl\(\)/, 'Expected a Jira curl wrapper');
|
||||
assert.match(shell, /\bcurl -s -K - "\$@"/, 'Expected curl config stdin in Jira wrapper');
|
||||
assert.doesNotMatch(
|
||||
shell,
|
||||
/\bcurl\b[^\n]*(?:-u|--user)(?:=|\s+)(?:"|')?\$JIRA_EMAIL:\$JIRA_API_TOKEN/,
|
||||
'Jira credentials must not be passed with curl -u/--user',
|
||||
);
|
||||
})) passed++; else failed++;
|
||||
}
|
||||
|
||||
for (const relativePath of socialDocs) {
|
||||
if (test(`${relativePath} keeps SocialClaw bearer token out of curl argv`, () => {
|
||||
const source = read(relativePath);
|
||||
const shell = shellExamples(source);
|
||||
|
||||
assert.match(
|
||||
shell,
|
||||
/printf 'header = "Authorization: Bearer %s"\\n' "\$SC_API_KEY" \|/,
|
||||
'Expected SocialClaw bearer header to be passed via curl config stdin',
|
||||
);
|
||||
assert.match(shell, /\bcurl -sS -K - https:\/\/getsocialclaw\.com\/v1\/keys\/validate/, 'Expected curl -K - validation call');
|
||||
assert.doesNotMatch(
|
||||
shell,
|
||||
/\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,
|
||||
'SocialClaw bearer token must not be passed with curl -H',
|
||||
);
|
||||
})) passed++; else failed++;
|
||||
}
|
||||
|
||||
console.log(`\nPassed: ${passed}`);
|
||||
console.log(`Failed: ${failed}`);
|
||||
|
||||
process.exit(failed > 0 ? 1 : 0);
|
||||
}
|
||||
|
||||
run();
|
||||
Reference in New Issue
Block a user