From 7ddd703f45047c2947979361ccb5c418f16bce2f Mon Sep 17 00:00:00 2001 From: Elai Shalev Date: Sun, 29 Mar 2026 12:22:17 +0300 Subject: [PATCH 1/2] fix policy lock json secret commit --- .../plugins/x2a-backend/templates/x2a-job-script.sh | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh b/workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh index 39f9e22bec..07210feab3 100644 --- a/workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh +++ b/workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh @@ -59,9 +59,9 @@ sanitize_secrets() { # Match GitHub PATs (ghp_, gho_, github_pat_) and generic token@host patterns in URLs local count=0 while IFS= read -r -d '' file; do - if grep -qE 'https?://[^@/:[:space:]]+@' "$file" 2>/dev/null; then - # Strip token from URLs: https://ghp_xxx@github.com/... → https://github.com/... - sed -i 's|https\?://[^@/:[:space:]]*@|https://|g' "$file" + if grep -qE 'https?://[^@/[:space:]]+@' "$file" 2>/dev/null; then + # Strip credentials from URLs: https://user:token@host/... → https://host/... + sed -i 's|https\?://[^@/[:space:]]*@|https://|g' "$file" echo " Sanitized: ${file#/workspace/target/}" count=$((count + 1)) fi @@ -235,8 +235,8 @@ case "${PHASE}" in # Note: x2a tool writes files to the source directory (--source-dir) echo "Copying output to ${PROJECT_PATH}/" cp -v "${SOURCE_BASE}/migration-plan.md" "${PROJECT_PATH}/" - # Copy any other generated files (like metadata) - cp -v "${SOURCE_BASE}"/*.json "${PROJECT_PATH}/" 2>/dev/null || true + # Copy generated metadata (only specific files — avoid copying Chef artifacts like Policyfile.lock.json) + cp -v "${SOURCE_BASE}/generated-project-metadata.json" "${PROJECT_PATH}/" 2>/dev/null || true cp -v "${SOURCE_BASE}"/*.yaml "${PROJECT_PATH}/" 2>/dev/null || true # Show what was created @@ -299,7 +299,6 @@ case "${PHASE}" in # Note: x2a tool produces migration-plan-{module_name}.md (spaces replaced with underscores) echo "Copying output to ${OUTPUT_DIR}/" cp -v "${SOURCE_BASE}/migration-plan-${MODULE_NAME_SANITIZED}.md" "${OUTPUT_DIR}/" - cp -v "${SOURCE_BASE}"/*.json "${OUTPUT_DIR}/" 2>/dev/null || true cp -v "${SOURCE_BASE}"/*.yaml "${OUTPUT_DIR}/" 2>/dev/null || true echo "" @@ -361,7 +360,6 @@ case "${PHASE}" in # Note: x2a tool writes to ansible/roles/{module}/ in the source directory echo "Copying output to ${OUTPUT_DIR}/" cp -rv "${SOURCE_BASE}/ansible" "${OUTPUT_DIR}/" 2>/dev/null || true - cp -v "${SOURCE_BASE}"/*.json "${OUTPUT_DIR}/" 2>/dev/null || true cp -v "${SOURCE_BASE}"/*.yaml "${OUTPUT_DIR}/" 2>/dev/null || true echo "" From cc8c48504c4c57fe60e39922487a38e5caa56d17 Mon Sep 17 00:00:00 2001 From: Elai Shalev Date: Sun, 29 Mar 2026 12:27:08 +0300 Subject: [PATCH 2/2] changeset --- workspaces/x2a/.changeset/fix-policy-lock-token-leak.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 workspaces/x2a/.changeset/fix-policy-lock-token-leak.md diff --git a/workspaces/x2a/.changeset/fix-policy-lock-token-leak.md b/workspaces/x2a/.changeset/fix-policy-lock-token-leak.md new file mode 100644 index 0000000000..c31feb5db0 --- /dev/null +++ b/workspaces/x2a/.changeset/fix-policy-lock-token-leak.md @@ -0,0 +1,5 @@ +--- +'@red-hat-developer-hub/backstage-plugin-x2a-backend': patch +--- + +Fix SCM token leak in Policyfile.lock.json: stop copying wildcard JSON files from Chef source directory and improve URL credential sanitization regex