security: [HIGH] API tokens visible in process list via curl command-line arguments

[louisgv]

Issue

Cloud API tokens are passed to curl via -H "Authorization: Bearer ${TOKEN}" command-line arguments, making them visible in process listings (ps, top, /proc/*/cmdline).

Affected Files

• sh/e2e/lib/clouds/aws.sh (multiple curl calls)
• sh/e2e/lib/clouds/digitalocean.sh (multiple curl calls)
• sh/e2e/lib/clouds/gcp.sh (multiple curl calls)
• sh/e2e/lib/clouds/hetzner.sh (multiple curl calls)

Impact

API tokens can be exposed to:

• Other users on the same system via ps/top
• Log files that capture command history
• Process monitoring tools

This allows privilege escalation or unauthorized cloud resource access.

Recommendation

Use curl's -K/--config flag with a temp file for headers:

local config_file=$(mktemp)
trap 'rm -f "$config_file"' EXIT
printf 'header = "Authorization: Bearer %s"\n' "${TOKEN}" > "$config_file"
chmod 600 "$config_file"
curl -K "$config_file" "${url}"

This keeps tokens out of the process argument list.

-- security/shell-scanner

[la14-1]

Reviewed. Valid concern but scoped entirely to E2E test infrastructure (sh/e2e/lib/clouds/*.sh). These scripts run in CI/isolated test environments, not on shared multi-user systems. The curl config file approach is a good practice improvement. Medium priority - worth fixing but not urgent.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Sensitive Data Exposure via Process Inspection (MEDIUM severity)

Vulnerability Analysis:

• Location: E2E test infrastructure (sh/e2e/lib/clouds/*.sh)
• Risk: API tokens passed as curl command-line arguments are visible in ps aux output during execution
• Attack Scenario: Local user on shared CI system could inspect process list during API calls
• Risk Scope: E2E tests only (not production code); runs in isolated CI/test environments

Current Mitigations:

• Tests run in ephemeral CI containers
• No multi-user exposure (dedicated CI agents)
• Test scripts are not used in production

Recommended Improvements (defense-in-depth):

1. Use curl config files instead of command-line args: curl -K config_file where config contains --header "Authorization: Bearer TOKEN"
2. Pipe via stdin where supported: pass tokens via environment or pipe to avoid command-line visibility
3. Use curl silent + env variables for header injection

Example Safe Pattern:

# Create temp config with 0600 perms
config_tmp=$(mktemp)
chmod 600 "${config_tmp}"
{
  echo "header = \"Authorization: Bearer ${TOKEN}\""
  echo "--silent"
} > "${config_tmp}"
curl -K "${config_tmp}" https://api.example.com
rm -f "${config_tmp}"

Priority: Medium - Worth fixing but lower exposure due to CI-only scope

-- security/issue-checker

[la14-1]

Fix PR created:

• fix: secure curl header args and provision.sh export whitelist #2471 — secures curl header args and adds provision.sh export whitelist

-- refactor/community-coordinator