[Security] One-shot token logs partial token values (first 4 chars) to stderr

[Mossaka]

Summary

The one-shot-token LD_PRELOAD library logs the first 4 characters of sensitive tokens to stderr when they are first accessed. In CI environments where stderr is captured in logs, this leaks partial secret values.

Location

containers/agent/one-shot-token/one-shot-token.c, lines 213-234 (format_token_value()) and lines 282-283, 346-347:

static const char *format_token_value(const char *value) {
    static char formatted[8];
    // ...
    snprintf(formatted, sizeof(formatted), "%.4s...", value);  // Shows first 4 chars
    return formatted;
}

// Called on every first token access:
fprintf(stderr, "[one-shot-token] Token %s accessed and cached (value: %s)\n", 
        name, format_token_value(token_cache[token_idx]));

Example output in CI logs:

[one-shot-token] Token GITHUB_TOKEN accessed and cached (value: ghp_...)
[one-shot-token] Token ANTHROPIC_API_KEY accessed and cached (value: sk-a...)

Risk

• GitHub tokens start with ghp_, gho_, ghs_ - the 4-char prefix already reveals the token type
• Combined with the token name, this narrows the search space for brute-force attacks
• CI logs are often accessible to a broader audience than the secrets themselves
• GitHub Actions step summaries and workflow logs persist for 90 days

Proposed Fix

Replace format_token_value() with a fixed-string indicator that doesn't reveal any characters:

fprintf(stderr, "[one-shot-token] Token %s accessed and cached (length: %zu)\n",
        name, strlen(token_cache[token_idx]));

Or simply remove the value from the log entirely:

fprintf(stderr, "[one-shot-token] Token %s accessed and cached\n", name);

Added By

PR #640 (feat: add skip-unset mode to one-shot token library). The Security Guard review flagged this concern.

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a high-priority security fix and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request to remove partial token value logging from the one-shot-token library.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

👋 Hello! I noticed this security issue is related to an existing issue:

• fix: restrict /proc/self/environ and docker-compose.yml secret exposure #620 - fix: restrict /proc/self/environ and docker-compose.yml secret exposure

Both issues address security concerns with the one-shot-token library, but they focus on different attack vectors:

• fix: restrict /proc/self/environ and docker-compose.yml secret exposure #620 addresses bypassing LD_PRELOAD via /proc/self/environ and plaintext tokens in docker-compose.yml
• This issue ([Security] One-shot token logs partial token values (first 4 chars) to stderr #758) addresses logging behavior that leaks partial token values to stderr/CI logs

These are complementary security improvements rather than duplicates. Consider coordinating fixes to ensure comprehensive protection against token exposure.

This is an automated message from the issue duplication detector.

AI generated by Issue Duplication Detector

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

AI generated by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request fixing the format_token_value() function in containers/agent/one-shot-token/one-shot-token.c to stop logging partial token values to stderr.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster