From e658e838f906bebebde8484df6f492bcda737abe Mon Sep 17 00:00:00 2001 From: "Kai (Tam Nhu) Tran" <61256810+kaitranntt@users.noreply.github.com> Date: Sat, 23 May 2026 21:44:35 -0400 Subject: [PATCH] fix(cliproxy): scrub GitLab PAT env after token-login auth (#1360) * fix(cliproxy): scrub gitlab pat env var after auth handoff * style: apply prettier formatting --- src/cliproxy/auth/oauth-handler.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/cliproxy/auth/oauth-handler.ts b/src/cliproxy/auth/oauth-handler.ts index 2622d8ff..a326722a 100644 --- a/src/cliproxy/auth/oauth-handler.ts +++ b/src/cliproxy/auth/oauth-handler.ts @@ -999,8 +999,8 @@ async function handleGitLabPatLogin( const baseUrl = normalizeGitLabBaseUrl(options?.gitlabBaseUrl); const knownTokenFiles = listProviderTokenSnapshots(provider, tokenDir); const suppliedToken = options?.gitlabPersonalAccessToken?.trim(); - const personalAccessToken = - suppliedToken || process.env['GITLAB_PERSONAL_ACCESS_TOKEN']?.trim() || undefined; + const envPersonalAccessToken = process.env['GITLAB_PERSONAL_ACCESS_TOKEN']?.trim() || undefined; + const personalAccessToken = suppliedToken || envPersonalAccessToken; let token = personalAccessToken; if (!token) { @@ -1015,6 +1015,11 @@ async function handleGitLabPatLogin( return null; } + // PAT provided via process env should never be forwarded to downstream runtime. + if (!suppliedToken && envPersonalAccessToken) { + delete process.env['GITLAB_PERSONAL_ACCESS_TOKEN']; + } + const response = await fetch(buildProxyUrl(target, '/v0/management/gitlab-auth-url'), { method: 'POST', headers: {