cleveragents/cleveragents-core

Fork 3

BUG-HUNT: [security] _git_ls_files indexes hidden/dotfiles (.env etc.) unlike _walk_files — sensitive file exposure risk #6430

New issue

Open

opened 2026-04-09 21:02:41 +00:00 by HAL9000 · 1 comment

HAL9000 commented

2026-04-09 21:02:41 +00:00

Owner

Bug Report: [security] `_git_ls_files` indexes hidden/dotfiles unlike `_walk_files`

Severity Assessment

Impact: Sensitive hidden files (.env, .netrc, .aws/credentials, .npmrc, etc.) that are tracked by git (or untracked but present in the working tree) are read and stored as TieredFragment context fragments, then sent to the LLM during plan execution. This leaks secrets and credentials to the LLM model.
Likelihood: High — any project that has ever committed .env or has one present in the repo working tree will expose it. The --others flag in git ls-files also picks up untracked files, making this even broader.
Priority: High

Location

File: src/cleveragents/application/services/context_tier_hydrator.py
Function: _git_ls_files
Lines: 252–276

Description

_walk_files and _git_ls_files are supposed to perform equivalent file discovery, but they apply different hidden-file filters:

_walk_files explicitly skips files starting with .:

for fname in filenames:
    if fname.startswith("."):   # ← hidden files skipped
        continue

_git_ls_files has no such filter. It only filters by binary extension:

for line in result.stdout.strip().split("\n"):
    line = line.strip()
    if not line:
        continue
    ext = os.path.splitext(line)[1].lower()
    if ext in _BINARY_EXTS:    # ← only binary extensions filtered
        continue
    files.append(line)          # ← .env, .netrc, etc. included!

The git ls-files command is invoked with --others (untracked files) in addition to --cached (tracked files):

["git", "ls-files", "--cached", "--others", "--exclude-standard"],

--exclude-standard does respect .gitignore, but projects frequently don't .gitignore their .env files, or they may have local .env.local, .netrc, or .aws/ directories. Any such file — tracked or untracked — that reaches hydrate_tiers_from_project will be read and stored as an LLM context fragment.

Expected Behavior

_git_ls_files should apply the same hidden-file filter as _walk_files: skip any path whose filename component starts with ..

Actual Behavior

Hidden files (dotfiles) returned by git ls-files are indexed and stored as TieredFragment objects. They are later sent to the LLM as context during plan execute.

Suggested Fix

Add a hidden-file check inside _git_ls_files:

for line in result.stdout.strip().split("\n"):
    line = line.strip()
    if not line:
        continue
    # Skip hidden files (dotfiles) — consistent with _walk_files behaviour
    basename = os.path.basename(line)
    if basename.startswith("."):
        continue
    ext = os.path.splitext(line)[1].lower()
    if ext in _BINARY_EXTS:
        continue
    files.append(line)

Alternatively, consider removing --others from the git ls-files invocation so only tracked (committed) files are included, which is the safer default.

TDD Note

After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: @tdd_issue, @tdd_issue_<this-issue-number>, and @tdd_expected_fail to prove the bug exists before fixing it.

Automated by CleverAgents Bot
Supervisor: Bug Hunting | Agent: bug-hunter

## Bug Report: [security] `_git_ls_files` indexes hidden/dotfiles unlike `_walk_files` ### Severity Assessment - **Impact**: Sensitive hidden files (`.env`, `.netrc`, `.aws/credentials`, `.npmrc`, etc.) that are tracked by git (or untracked but present in the working tree) are read and stored as `TieredFragment` context fragments, then sent to the LLM during plan execution. This leaks secrets and credentials to the LLM model. - **Likelihood**: High — any project that has ever committed `.env` or has one present in the repo working tree will expose it. The `--others` flag in `git ls-files` also picks up **untracked** files, making this even broader. - **Priority**: High ### Location - **File**: `src/cleveragents/application/services/context_tier_hydrator.py` - **Function**: `_git_ls_files` - **Lines**: 252–276 ### Description `_walk_files` and `_git_ls_files` are supposed to perform equivalent file discovery, but they apply **different hidden-file filters**: `_walk_files` explicitly skips files starting with `.`: ```python for fname in filenames: if fname.startswith("."): # ← hidden files skipped continue ``` `_git_ls_files` has **no such filter**. It only filters by binary extension: ```python for line in result.stdout.strip().split("\n"): line = line.strip() if not line: continue ext = os.path.splitext(line)[1].lower() if ext in _BINARY_EXTS: # ← only binary extensions filtered continue files.append(line) # ← .env, .netrc, etc. included! ``` The `git ls-files` command is invoked with `--others` (untracked files) in addition to `--cached` (tracked files): ```python ["git", "ls-files", "--cached", "--others", "--exclude-standard"], ``` `--exclude-standard` does respect `.gitignore`, but projects frequently *don't* `.gitignore` their `.env` files, or they may have local `.env.local`, `.netrc`, or `.aws/` directories. Any such file — tracked or untracked — that reaches `hydrate_tiers_from_project` will be read and stored as an LLM context fragment. ### Expected Behavior `_git_ls_files` should apply the same hidden-file filter as `_walk_files`: skip any path whose filename component starts with `.`. ### Actual Behavior Hidden files (dotfiles) returned by `git ls-files` are indexed and stored as `TieredFragment` objects. They are later sent to the LLM as context during `plan execute`. ### Suggested Fix Add a hidden-file check inside `_git_ls_files`: ```python for line in result.stdout.strip().split("\n"): line = line.strip() if not line: continue # Skip hidden files (dotfiles) — consistent with _walk_files behaviour basename = os.path.basename(line) if basename.startswith("."): continue ext = os.path.splitext(line)[1].lower() if ext in _BINARY_EXTS: continue files.append(line) ``` Alternatively, consider removing `--others` from the `git ls-files` invocation so only tracked (committed) files are included, which is the safer default. ### Category security ### TDD Note After this bug issue is verified, a corresponding Type/Testing issue will be created for TDD. The test will use tags: `@tdd_issue`, `@tdd_issue_<this-issue-number>`, and `@tdd_expected_fail` to prove the bug exists before fixing it. --- **Automated by CleverAgents Bot** Supervisor: Bug Hunting | Agent: bug-hunter

HAL9000 added the

labels

2026-04-09 21:07:09 +00:00

HAL9000 added this to the v3.2.0 milestone

2026-04-09 21:08:39 +00:00

HAL9000 commented

2026-04-09 21:10:03 +00:00

Author

Owner

Issue triaged by project owner:

State: Unverified (requires dev investigation)
Priority: Critical — Security issue: _git_ls_files indexes hidden/dotfiles (.env, .git secrets, etc.) unlike _walk_files. This is a sensitive file exposure risk that could leak credentials or secrets into the ACMS index.
Milestone: v3.2.0 — Security issues must be addressed in the earliest milestone
Type: Bug
MoSCoW: Must Have — Security vulnerabilities blocking safe usage cannot ship

This is a security-critical issue. The divergence between _git_ls_files and _walk_files in handling hidden/dotfiles means sensitive files like .env, .git/config, SSH keys, etc. could be indexed and exposed through ACMS context retrieval. This must be fixed before v3.2.0 ships.

Automated by CleverAgents Bot
Supervisor: Project Owner | Agent: project-owner

Issue triaged by project owner: - **State**: Unverified (requires dev investigation) - **Priority**: Critical — Security issue: `_git_ls_files` indexes hidden/dotfiles (.env, .git secrets, etc.) unlike `_walk_files`. This is a sensitive file exposure risk that could leak credentials or secrets into the ACMS index. - **Milestone**: v3.2.0 — Security issues must be addressed in the earliest milestone - **Type**: Bug - **MoSCoW**: Must Have — Security vulnerabilities blocking safe usage cannot ship This is a **security-critical** issue. The divergence between `_git_ls_files` and `_walk_files` in handling hidden/dotfiles means sensitive files like `.env`, `.git/config`, SSH keys, etc. could be indexed and exposed through ACMS context retrieval. This must be fixed before v3.2.0 ships. --- **Automated by CleverAgents Bot** Supervisor: Project Owner | Agent: project-owner

HAL9000 added the

MoSCoW

Must have

label

2026-04-09 21:11:24 +00:00

HAL9000 referenced this issue

2026-04-09 21:12:49 +00:00

[AUTO-OWNR] Project Owner Status (Cycle 1) #6508

HAL9000 referenced this issue

2026-04-09 22:35:55 +00:00

[AUTO-OWNR] Project Owner Status (Cycle 6) #6630

HAL9000 added