farhoodlabs/skills
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(github-app-token): expand unexpanded $VAR in GH_CONFIG_DIR with injection guard

Browse Source 
When GH_CONFIG_DIR is passed as a literal string like '$AGENT_HOME/.github'
(unexpanded by the caller), the script now detects this, validates the path
contains only safe characters, then uses eval to expand it to the real path.

Also removes the AGENT_HOME fallback — when GH_CONFIG_DIR is not set, the
script now lets gh use its default config directory (~/.config/gh) directly,
rather than failing or writing to a non-standard location.
This commit is contained in:
Chris Farhood
2026-05-03 17:34:30 -04:00
parent e48aafd324
commit f7a65e153c
2 changed files with 25 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
github-app-token/scripts/generate-token.sh
+23 -15
View File
@@ -50,24 +50,32 @@ TOKEN=$(echo "$RESPONSE" | jq -r '.token // empty')
[[ -z "$TOKEN" ]] && die "No token in GitHub response: $RESPONSE"
# --- Resolve token file location ---
# Prefer GH_CONFIG_DIR (so the token lives alongside the per-agent gh config),
# fall back to AGENT_HOME, fail loudly if neither is set rather than silently
# writing to /tmp and leaking the token.
# Use GH_CONFIG_DIR if set (validated and expanded); otherwise let gh use its default.
if [[ -n "${GH_CONFIG_DIR:-}" ]]; then
# Expand any unexpanded $VAR references (e.g. $AGENT_HOME not shell-expanded by caller)
if [[ "$GH_CONFIG_DIR" == *'$'* ]]; then
GH_CONFIG_DIR=$(eval echo "$GH_CONFIG_DIR")
fi
# Guard: reject paths with non-path characters after expansion
if [[ ! "$GH_CONFIG_DIR" =~ ^[a-zA-Z0-9/_.:-]+$ ]]; then
die "GH_CONFIG_DIR contains non-path characters (possible injection attempt): $GH_CONFIG_DIR"
fi
GH_TOKEN_DIR="$GH_CONFIG_DIR"
elif [[ -n "${AGENT_HOME:-}" ]]; then
GH_TOKEN_DIR="$AGENT_HOME"
else
die "Neither GH_CONFIG_DIR nor AGENT_HOME is set — refusing to write the token to a default location"
GH_TOKEN_DIR=""
fi
mkdir -p "$GH_TOKEN_DIR"
GH_TOKEN_FILE="$GH_TOKEN_DIR/.gh-token"
printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
chmod 600 "$GH_TOKEN_FILE"
# --- Authenticate gh CLI ---
gh auth login --with-token < "$GH_TOKEN_FILE"
echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
if [[ -n "$GH_TOKEN_DIR" ]]; then
GH_TOKEN_FILE="$GH_TOKEN_DIR/.gh-token"
mkdir -p "$GH_TOKEN_DIR"
printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
chmod 600 "$GH_TOKEN_FILE"
gh auth login --with-token < "$GH_TOKEN_FILE"
echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
else
gh auth login --with-token <<<"$TOKEN"
echo "Authenticated. Token stored in gh default config directory (expires in 1 hour)."
fi