Security: Credentials in plugin source URLs exposed in logs, exceptions, and persisted state

[jpshackelford]

Problem

When fetching plugins from private repositories using authenticated URLs (e.g., https://oauth2:<token>@gitlab.com/org/private-marketplace), credentials are exposed in multiple places:

1. Application logs - Clone URLs and git commands are logged with credentials visible
2. Exception messages - Error messages include full URLs with credentials
3. Persisted conversation state - Plugin source URLs with credentials are stored in StoredConversation and ResolvedPluginSource

Business Impact

• Credential leakage to log aggregators: Tokens sent to centralized logging systems (Datadog, Splunk, etc.) where they may be accessible to operations teams or retained indefinitely
• Credential exposure in error responses: When plugin fetching fails, error messages containing credentials may be returned to API clients
• Credential persistence: Tokens stored in conversation state could be accessed by other processes or leaked through database backups
• Security audit failures: Logging credentials violates security best practices and compliance requirements

Expected Behavior

• Log messages should redact credentials from URLs (e.g., https://****@gitlab.com/repo)
• Exception messages should not contain authentication credentials
• Persisted state should store redacted URLs (credentials only needed at fetch time)

Reproduction

from openhands.sdk.plugin.fetch import fetch_plugin

# This will log the full URL with credentials
fetch_plugin(
    source='https://oauth2:SECRET_TOKEN@gitlab.com/org/repo',
    ref='main'
)

Logs will show:

INFO - Cloning repository from https://oauth2:SECRET_TOKEN@gitlab.com/org/repo.git

Related

• Security: Credentials in plugin source URLs exposed via API responses OpenHands#12959 - Related credential exposure in app server
• Part of Plugin Marketplace feature (Plugin Marketplace GUI OpenHands#12088)

[jpshackelford]

Technical Details

Affected Code

Logging with credentials

File	Line	Code
openhands/sdk/git/cached_repo.py	288	logger.info(f"Cloning repository from {url}")
openhands/sdk/git/utils.py	48	logger.error(f"{error_msg}. Exit code: {result.returncode}. Stderr: {result.stderr}")
openhands/sdk/git/utils.py	58	logger.debug(f"Git command succeeded: {shlex.join(args)}")
openhands/sdk/plugin/fetch.py	330	logger.warning(f"Could not get commit SHA for {source}: {e}")

Exceptions with credentials

File	Line	Code
openhands/sdk/plugin/fetch.py	163	raise PluginFetchError(f"Failed to fetch plugin from {source}")
openhands/sdk/plugin/fetch.py	324	raise PluginFetchError(f"Failed to fetch plugin from {source}")
openhands/sdk/git/utils.py	51-54	GitCommandError stores command list containing URL

Persistence with credentials

File	Field
openhands/agent_server/models.py	StoredConversation.plugins[].source
openhands/sdk/plugin/types.py	ResolvedPluginSource.source

---

Suggested Implementation

Step 1: Add URL redaction utility

Add to openhands/sdk/git/utils.py:

from urllib.parse import urlparse, urlunparse

def redact_url_credentials(url: str) -> str:
    """Redact credentials from a URL for safe logging/display.
    
    Examples:
        >>> redact_url_credentials('https://oauth2:token@gitlab.com/repo')
        'https://oauth2:****@gitlab.com/repo'
        >>> redact_url_credentials('https://gitlab.com/repo')
        'https://gitlab.com/repo'
    """
    parsed = urlparse(url)
    if parsed.password:
        netloc = f"{parsed.username}:****@{parsed.hostname}"
        if parsed.port:
            netloc += f":{parsed.port}"
        return urlunparse(parsed._replace(netloc=netloc))
    return url


def redact_command_credentials(args: list[str]) -> list[str]:
    """Redact credentials from a command argument list.
    
    Useful for logging git commands that may contain URLs with credentials.
    """
    return [redact_url_credentials(arg) if '://' in arg else arg for arg in args]

Step 2: Update logging calls

# cached_repo.py line 288
logger.info(f"Cloning repository from {redact_url_credentials(url)}")

# utils.py line 48
cmd_str_safe = shlex.join(redact_command_credentials(args))
logger.error(f"Git command failed: {cmd_str_safe}. Exit code: ...)

# utils.py line 58  
logger.debug(f"Git command succeeded: {shlex.join(redact_command_credentials(args))}")

# fetch.py line 330
logger.warning(f"Could not get commit SHA for {redact_url_credentials(source)}: {e}")

Step 3: Update exception messages

# fetch.py lines 163, 324
raise PluginFetchError(f"Failed to fetch plugin from {redact_url_credentials(source)}")

# utils.py - GitCommandError
# Store both original command (for internal use) and redacted version (for display)
class GitCommandError(GitError):
    command: list[str]
    command_redacted: list[str]  # For safe display
    
    def __init__(self, message: str, command: list[str], ...):
        self.command = command
        self.command_redacted = redact_command_credentials(command)
        # Use redacted version in the message
        super().__init__(message.replace(shlex.join(command), shlex.join(self.command_redacted)))

Step 4: Handle persistence (optional, lower priority)

For ResolvedPluginSource and StoredConversation, consider:

• Store redacted URL since credentials are only needed at fetch time
• Or add a @field_serializer to redact on serialization

---

Testing

Add tests to verify redaction:

def test_redact_url_credentials():
    assert redact_url_credentials('https://oauth2:secret@gitlab.com/repo') == 'https://oauth2:****@gitlab.com/repo'
    assert redact_url_credentials('https://gitlab.com/repo') == 'https://gitlab.com/repo'
    assert redact_url_credentials('git@github.com:org/repo.git') == 'git@github.com:org/repo.git'

def test_plugin_fetch_error_redacts_credentials():
    with pytest.raises(PluginFetchError) as exc_info:
        fetch_plugin('https://oauth2:secret@gitlab.com/nonexistent', ref='main')
    assert 'secret' not in str(exc_info.value)
    assert '****' in str(exc_info.value)

[jpshackelford]

Cross-Repository Usage Note

The redact_url_credentials() utility should be exported from the SDK's public API so that OpenHands/OpenHands can import and use it for the related issue (OpenHands/OpenHands#12959).

Suggested export location:

# openhands/sdk/git/__init__.py or openhands/sdk/utils.py
from openhands.sdk.git.utils import redact_url_credentials

__all__ = [..., 'redact_url_credentials']

This ensures:

1. Single canonical implementation of URL credential redaction
2. Consistent redaction behavior across both repositories
3. OpenHands/OpenHands can use it without duplicating code

The OpenHands/OpenHands fix (issue #12959) should wait for or coordinate with this SDK change.

[all-hands-bot]

[Automatic Post]: This issue has been waiting for triage. @xingyaoww @neubig @enyst, could you please take a look and add the appropriate priority label when you have a chance?

[jpshackelford]

@OpenHands open a PR for this issue.

[openhands-ai]

I'm on it! jpshackelford can track my progress at all-hands.dev

[openhands-ai]

Summary

I have successfully completed the task to fix issue #2152: "Security: Credentials in plugin source URLs exposed in logs, exceptions, and persisted state".

Checklist - Requirements Addressed

• ✅ Log messages redact credentials - Clone URLs and git commands now show https://****@host/path instead of exposing tokens
• ✅ Exception messages do not contain credentials - GitCommandError and PluginFetchError messages are sanitized
• ✅ Persisted state stores redacted URLs - ResolvedPluginSource.from_plugin_source() redacts credentials before persistence
• ✅ Cross-repository usage - redact_url_credentials() is exported from openhands.sdk public API for use in Security: Credentials in plugin source URLs exposed via API responses OpenHands#12959
• ✅ Tests added - 19 comprehensive tests covering various URL formats and edge cases
• ✅ All existing tests pass - 257 git and plugin tests continue to pass

Files Changed (6 files, +273/-14 lines)

1. openhands-sdk/openhands/sdk/git/utils.py - Added redact_url_credentials() and _redact_git_args() helper
2. openhands-sdk/openhands/sdk/git/cached_repo.py - Import and use redaction for clone logs
3. openhands-sdk/openhands/sdk/plugin/fetch.py - Redact in error messages and warnings
4. openhands-sdk/openhands/sdk/plugin/types.py - Redact in persistence
5. openhands-sdk/openhands/sdk/__init__.py - Export to public API
6. tests/sdk/git/test_credential_redaction.py - New test file

PR Created

PR #2196: #2196

The branch has already been pushed and the PR is open, awaiting CI and review.

[raymyers]

I see that OpenHands PR 12979 is waiting on this SDK change. Is #2196 ready for review, or are we still considering approaches?