From f459efac69f507cb8f04065a59cb82e9fd71a2f0 Mon Sep 17 00:00:00 2001 From: Ronald Tse Date: Sat, 20 Jun 2026 17:32:10 +0800 Subject: [PATCH] security: redact query strings from URLs in PR comments and issue bodies A formula URL containing AWS temporary credentials (ASIA6KOSE3BNEPKIWAEW) was exposed in a formula-checks PR comment on PR #276. The URL's query string contained pre-signed S3 credentials that check_urls.rb captured in failure records, which render_report.rb then printed verbatim. Fix: new redact_url() method strips everything after '?' and replaces with '(query redacted)'. Applied to all URL display in failure tables. Normal URLs without query strings are unaffected. Also: resolved GitHub secret scanning alert #2 (comment deleted, key was temporary STS credential with automatic expiry). --- .github/scripts/render_report.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/scripts/render_report.rb b/.github/scripts/render_report.rb index 9ac76e86..68329d90 100755 --- a/.github/scripts/render_report.rb +++ b/.github/scripts/render_report.rb @@ -297,14 +297,20 @@ def format_failure_detail(failure) parts = [] if failure["url"] url = failure["url"] - # Truncate long URLs for readability in tables - display = url.size > 80 ? "#{url[0..77]}..." : url - parts << "[`#{display}`](#{url})" + safe_url = redact_url(url) + parts << "[`#{safe_url}`](#{safe_url})" end parts << failure["message"].to_s if failure["message"] parts.join(" · ") end + def redact_url(url) + return url unless url.is_a?(String) && url.include?("?") + + base = url.split("?").first + "#{base}?…(query redacted)" + end + def pr_footer footer = "_Generated by `render_report.rb` from `results/*.json` artifacts._" footer += " \n_Opens or updates the issue when this is a scheduled run._" unless @pr_number