Merge pull request #1431 from Codium-ai/tr/protections23

fix: improve CLI argument validation for sensitive parameters
2025-07-05 05:10:38 +08:00 · 2025-01-01 16:10:30 +02:00
parent 04197a9271 e2be1f1cee
commit 36df75ce14
1 changed files with 13 additions and 7 deletions
--- a/pr_agent/agent/pr_agent.py
+++ b/pr_agent/agent/pr_agent.py
@ -64,13 +64,19 @@ class PRAgent:
                              'git_provider', 'skip_keys', 'key', 'ANALYTICS_FOLDER', 'uri', 'app_id', 'webhook_secret',
                              'bearer_token', 'PERSONAL_ACCESS_TOKEN', 'override_deployment_type', 'private_key', 'api_base', 'api_type', 'api_version']
        if args:
-            for forbidden_arg in forbidden_cli_args:
-                for arg in args:
-                    if forbidden_arg.lower() in arg.lower():
-                        get_logger().error(
-                            f"CLI argument for param '{forbidden_arg}' is forbidden. Use instead a configuration file."
-                        )
-                        return False
+            for arg in args:
+                if arg.startswith('--'):
+                    arg_word = arg.lower()
+                    arg_word = arg_word.replace('__', '.')  # replace double underscore with dot, e.g. --openai__key -> --openai.key
+                    for forbidden_arg in forbidden_cli_args:
+                        forbidden_arg_word = forbidden_arg.lower()
+                        if '.' not in forbidden_arg_word:
+                            forbidden_arg_word = '.' + forbidden_arg_word
+                        if forbidden_arg_word in arg_word:
+                            get_logger().error(
+                                f"CLI argument for param '{forbidden_arg}' is forbidden. Use instead a configuration file."
+                            )
+                            return False
        args = update_settings_from_args(args)

        action = action.lstrip("/").lower()