Skip to content

fix(skills): keep curl credentials out of argv#2175

Merged
affaan-m merged 2 commits into
affaan-m:mainfrom
Kumario1:fix/curl-credential-config-docs
Jun 7, 2026
Merged

fix(skills): keep curl credentials out of argv#2175
affaan-m merged 2 commits into
affaan-m:mainfrom
Kumario1:fix/curl-credential-config-docs

Conversation

@Kumario1

@Kumario1 Kumario1 commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #2165.

  • update Jira REST examples to use a jira_curl wrapper that passes user = ... through curl config stdin instead of -u "$JIRA_EMAIL:$JIRA_API_TOKEN"
  • update the SocialClaw validation example to pass the bearer header through curl config stdin instead of -H "Authorization: Bearer $SC_API_KEY"
  • add a CI regression test covering the affected Jira English/Japanese/Chinese docs and SocialClaw skill

Verification

  • node tests/ci/secret-curl-flags.test.js
  • node tests/ci/agent-instruction-safety.test.js
  • node tests/run-all.js — 2623 passed, 0 failed

Summary by cubic

Prevents credentials from appearing in curl argv in Jira and SocialClaw skill docs by moving auth to stdin and adding CI to block regressions. Fixes #2165.

  • Bug Fixes
    • Jira docs (EN/JA/ZH): add a jira_curl wrapper that pipes user = "$JIRA_EMAIL:$JIRA_API_TOKEN" to curl -K -; replace all curl -u examples in fetch, comments, transitions, and JQL sections.
    • SocialClaw: send the bearer header via stdin with curl -K - in the key validation example; remove -H "Authorization: Bearer $SC_API_KEY".
    • CI: add tests/ci/secret-curl-flags.test.js to ensure examples use stdin config and never pass secrets via -u/--user or -H Authorization.

Written for commit 73049c2. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Documentation

    • Updated Jira integration documentation (English, Japanese, Chinese) and SocialClaw setup guide with revised credential handling examples.
  • Tests

    • Added automated test to verify credential handling patterns in documentation examples.

@Kumario1 Kumario1 requested a review from affaan-m as a code owner June 6, 2026 02:33
@ecc-tools

ecc-tools Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

ECC bundle files are already tracked in this repository. Skipping generation of another bundle PR.

@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Lost in the diff? Review this PR in Change Stack to follow the change map from intent to exact ranges.

Review Change Stack

📝 Walkthrough

Walkthrough

This PR hardens API credential security in skill documentation by refactoring curl commands to pass credentials via stdin (-K -) instead of command-line flags, which prevents tokens from appearing in shell history and process listings. Documentation for Jira (English, Japanese, Chinese) and SocialClaw integrations was updated, and a CI test was added to enforce the pattern.

Changes

Credential security hardening

Layer / File(s) Summary
Jira curl stdin credential pattern
skills/jira-integration/SKILL.md, docs/ja-JP/skills/jira-integration/SKILL.md, docs/zh-CN/skills/jira-integration/SKILL.md
Added jira_curl() helper function that pipes JIRA_EMAIL and JIRA_API_TOKEN to curl via stdin in all three language versions, then updated all REST API example commands (fetch ticket, fetch comments, add comment, transition issue, JQL search) to call the helper instead of using inline -u authentication.
SocialClaw authorization header stdin pattern
skills/social-publisher/SKILL.md
Updated the "Verify access" curl command to build the Authorization: Bearer header via printf piped to curl stdin instead of passing it directly with the -H flag.
CI test for credential exposure prevention
tests/ci/secret-curl-flags.test.js
Created a test script that parses Jira and SocialClaw documentation, extracts bash code blocks, and asserts curl commands do not expose credentials via flags: verifies jira_curl() exists and uses -K - without -u for Jira; verifies Authorization header is piped to curl stdin without inline -H for SocialClaw.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • affaan-m/ECC#2052: Prior update to the SocialClaw skill documentation that aligns with the credential security pattern introduced in this PR.

Suggested reviewers

  • affaan-m

🐰 A token walks into a bash script,
"Please don't let me slip!"
Stdin whispers back with care,
"History will not declare.
Your secret safe from ps's sight,
Credentials flow just right!"

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: moving curl credentials from command-line arguments to stdin to prevent exposure.
Linked Issues check ✅ Passed The PR fully addresses issue #2165 by updating all affected Jira skill files (English and translations) and SocialClaw skill to pass credentials via curl config stdin instead of command-line flags, with comprehensive CI test coverage.
Out of Scope Changes check ✅ Passed All changes are directly related to fixing the security vulnerability in issue #2165; no unrelated modifications detected beyond the specified skill documentation files and corresponding CI tests.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@skills/jira-integration/SKILL.md`:
- Around line 68-75: Add fail-fast validation in the jira_curl() helper: before
piping credentials to curl, check that the environment variables JIRA_EMAIL and
JIRA_API_TOKEN are set and non-empty, and if either is missing print a clear
error to stderr and exit non-zero; update the jira_curl() function (the shell
function defined as jira_curl) to perform these checks and only invoke curl when
both values are present, ensuring no further execution or network calls occur on
misconfiguration.

In `@skills/social-publisher/SKILL.md`:
- Around line 26-27: The build step currently constructs a curl config using
SC_API_KEY even when it's unset; add a pre-check that verifies the environment
variable SC_API_KEY is set and non-empty and fail fast with a clear error
message (e.g., print to stderr and exit non-zero) before running the printf/curl
sequence that builds the "Authorization: Bearer ..." header; update the logic
around the printf and curl invocation so they only run after SC_API_KEY
validation.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d5ca8b51-0b10-42e5-9c28-39efee4cd586

📥 Commits

Reviewing files that changed from the base of the PR and between 7113b5b and 73049c2.

📒 Files selected for processing (5)
  • docs/ja-JP/skills/jira-integration/SKILL.md
  • docs/zh-CN/skills/jira-integration/SKILL.md
  • skills/jira-integration/SKILL.md
  • skills/social-publisher/SKILL.md
  • tests/ci/secret-curl-flags.test.js

Comment on lines +68 to +75
For direct `curl` examples, keep credentials out of command-line arguments by passing the Jira user config on stdin:

```bash
jira_curl() {
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
curl -s -K - "$@"
}
```

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add fail-fast checks for required Jira credentials in jira_curl().

jira_curl() should validate JIRA_EMAIL and JIRA_API_TOKEN before invoking curl, so misconfiguration fails immediately with a clear error instead of making ambiguous unauthenticated calls.

Suggested patch
 jira_curl() {
+  : "${JIRA_EMAIL:?JIRA_EMAIL is required}"
+  : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
   printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
     curl -s -K - "$@"
 }

As per coding guidelines, “Validate all user input at system boundaries using schema-based validation; fail fast with clear error messages” and “Never hardcode secrets...”.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/jira-integration/SKILL.md` around lines 68 - 75, Add fail-fast
validation in the jira_curl() helper: before piping credentials to curl, check
that the environment variables JIRA_EMAIL and JIRA_API_TOKEN are set and
non-empty, and if either is missing print a clear error to stderr and exit
non-zero; update the jira_curl() function (the shell function defined as
jira_curl) to perform these checks and only invoke curl when both values are
present, ensuring no further execution or network calls occur on
misconfiguration.

Source: Coding guidelines

Comment on lines +26 to +27
printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" |
curl -sS -K - https://getsocialclaw.com/v1/keys/validate

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast when SC_API_KEY is unset before building the curl config.

Add an explicit required-variable check so the validation step errors clearly instead of sending an empty bearer token.

Suggested patch
+# Verify access
+: "${SC_API_KEY:?SC_API_KEY is required}"
 printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" |
   curl -sS -K - https://getsocialclaw.com/v1/keys/validate

As per coding guidelines, “Validate all user input at system boundaries... fail fast with clear error messages” and “Never hardcode secrets... use environment variables or a secret manager”.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" |
curl -sS -K - https://getsocialclaw.com/v1/keys/validate
# Verify access
: "${SC_API_KEY:?SC_API_KEY is required}"
printf 'header = "Authorization: Bearer %s"\n' "$SC_API_KEY" |
curl -sS -K - https://getsocialclaw.com/v1/keys/validate
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/social-publisher/SKILL.md` around lines 26 - 27, The build step
currently constructs a curl config using SC_API_KEY even when it's unset; add a
pre-check that verifies the environment variable SC_API_KEY is set and non-empty
and fail fast with a clear error message (e.g., print to stderr and exit
non-zero) before running the printf/curl sequence that builds the
"Authorization: Bearer ..." header; update the logic around the printf and curl
invocation so they only run after SC_API_KEY validation.

Source: Coding guidelines

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="docs/ja-JP/skills/jira-integration/SKILL.md">

<violation number="1" location="docs/ja-JP/skills/jira-integration/SKILL.md:71">
P2: `jira_curl` interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.</violation>

<violation number="2" location="docs/ja-JP/skills/jira-integration/SKILL.md:72">
P2: Add fail-fast checks for `JIRA_EMAIL` and `JIRA_API_TOKEN` before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.

```bash
jira_curl() {
  : "${JIRA_EMAIL:?JIRA_EMAIL is required}"
  : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
  printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
    curl -s -K - "$@"
}
```</violation>
</file>

<file name="tests/ci/secret-curl-flags.test.js">

<violation number="1" location="tests/ci/secret-curl-flags.test.js:84">
P2: The SocialClaw negative regex misses the `-H"..."` form, so this CI test can fail to catch a credential-leaking regression.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

直接 `curl` 例では、Jira ユーザー設定を標準入力で渡し、認証情報がコマンドライン引数に出ないようにします。

```bash
jira_curl() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: jira_curl interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At docs/ja-JP/skills/jira-integration/SKILL.md, line 71:

<comment>`jira_curl` interpolates credential values into curl config syntax without escaping quotes or backslashes, which can break parsing or enable option injection if credentials contain unexpected characters.</comment>

<file context>
@@ -65,6 +65,15 @@ MCP が利用できない場合は、`curl` またはヘルパースクリプト
+直接 `curl` 例では、Jira ユーザー設定を標準入力で渡し、認証情報がコマンドライン引数に出ないようにします。
+
+```bash
+jira_curl() {
+  printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
+    curl -s -K - "$@"
</file context>

assert.match(shell, /\bcurl -sS -K - https:\/\/getsocialclaw\.com\/v1\/keys\/validate/, 'Expected curl -K - validation call');
assert.doesNotMatch(
shell,
/\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The SocialClaw negative regex misses the -H"..." form, so this CI test can fail to catch a credential-leaking regression.

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At tests/ci/secret-curl-flags.test.js, line 84:

<comment>The SocialClaw negative regex misses the `-H"..."` form, so this CI test can fail to catch a credential-leaking regression.</comment>

<file context>
@@ -0,0 +1,96 @@
+      assert.match(shell, /\bcurl -sS -K - https:\/\/getsocialclaw\.com\/v1\/keys\/validate/, 'Expected curl -K - validation call');
+      assert.doesNotMatch(
+        shell,
+        /\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,
+        'SocialClaw bearer token must not be passed with curl -H',
+      );
</file context>
Suggested change
/\bcurl\b[^\n]*-H\s+(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,
/\bcurl\b[^\n]*-H\s*(?:"|')Authorization:\s*Bearer\s+\$SC_API_KEY(?:"|')/,


```bash
jira_curl() {
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Add fail-fast checks for JIRA_EMAIL and JIRA_API_TOKEN before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.

jira_curl() {
  : "${JIRA_EMAIL:?JIRA_EMAIL is required}"
  : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
  printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
    curl -s -K - "$@"
}
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At docs/ja-JP/skills/jira-integration/SKILL.md, line 72:

<comment>Add fail-fast checks for `JIRA_EMAIL` and `JIRA_API_TOKEN` before invoking curl. If either variable is unset, the function will silently send an empty or malformed credential string, resulting in an ambiguous 401 instead of a clear configuration error.

```bash
jira_curl() {
  : "${JIRA_EMAIL:?JIRA_EMAIL is required}"
  : "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
  printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
    curl -s -K - "$@"
}
```</comment>

<file context>
@@ -65,6 +65,15 @@ MCP が利用できない場合は、`curl` またはヘルパースクリプト
+
+```bash
+jira_curl() {
+  printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
+    curl -s -K - "$@"
+}
</file context>
Suggested change
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |
: "${JIRA_EMAIL:?JIRA_EMAIL is required}"
: "${JIRA_API_TOKEN:?JIRA_API_TOKEN is required}"
printf 'user = "%s:%s"\n' "$JIRA_EMAIL" "$JIRA_API_TOKEN" |

@affaan-m affaan-m merged commit 70fde3c into affaan-m:main Jun 7, 2026
3 checks passed
syarfandi pushed a commit to syarfandi/ECC that referenced this pull request Jun 9, 2026
* fix(skills): avoid curl credential argv leaks

* test(ci): guard secret curl examples
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] API tokens passed via curl flags expose credentials in process list and shell history (jira-integration, social-publisher)

2 participants