Skip to content

fix: overzealous 'token' and 'credential' security regexps #9085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rossigee wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix: overzealous 'token' and 'credential' security regexps #9085

rossigee wants to merge 5 commits into from
+13 −9

Conversation

@rossigee
Copy link
Contributor

@rossigee rossigee commented Dec 9, 2025
edited by cubic-dev-ai bot
Loading

Description

Removes token and credentials file globs for files that Continue should not access.

This matches legitimate source files that we would want our AI agents to be able to read and manage, such as 'tokens.py', 'tokens.go', 'tokens.c' etc etc.

Example:

○ Read(src/pkg/token/options.go)

● Reading or Editing src/pkg/token/options.go is not allowed because it is a security concern. Do not attempt to read or edit this
  file in any way.

AI Code Review

  • Team members only: AI review runs automatically when PR is opened or marked ready for review
  • Team members can also trigger a review by commenting @continue-review

Checklist

  • [] I've read the contributing guide
  • [] The relevant docs, if any, have been updated or created
  • [] The relevant tests, if any, have been updated or created

Screen recording or screenshot

N/A

Tests

N/A

Summary by cubic

Relaxed security ignore patterns by removing token., credentials., and the bare token/credentials filenames from indexing. This prevents excluding legitimate source files (e.g., tokens.py) while still ignoring *.token and other clear secret files (e.g., *.secret, *.secrets, auth.json).

Written for commit 19f7a1a. Summary will update automatically on new commits.

@rossigee rossigee requested a review from a team as a code owner December 9, 2025 20:04
@rossigee rossigee requested review from Patrick-Erichsen and removed request for a team December 9, 2025 20:04
@continue
Copy link
Contributor

continue bot commented Dec 9, 2025

Keep this PR in a mergeable state →

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

1 similar comment
@continue-development-app
Copy link

continue-development-app bot commented Dec 9, 2025

Keep this PR in a mergeable state →

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Dec 9, 2025
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@github-project-automation github-project-automation bot moved this from Todo to In Progress in Issues and PRs Dec 9, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 9, 2025
RomneyDa
RomneyDa requested changes Dec 9, 2025
View reviewed changes
Copy link
Collaborator

@RomneyDa RomneyDa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rossigee I agree with this change. I think you could also remove the credentials and tokens folder blockers. Looks like some tests will need to be updated since they are now failing

@dosubot dosubot bot removed the lgtm This PR has been approved by a maintainer label Dec 9, 2025
@continue
Copy link
Contributor

continue bot commented Dec 9, 2025
edited
Loading

I've created a branch with the necessary test updates and IntelliJ pattern fixes: docs/update-pr-9085-tests

Changes

Test Updates (core/indexing/ignore.vitest.ts)

  • Removed test expectation for credentials.json which no longer matches after removing the credentials.* pattern
  • Added new test cases to verify legitimate source files (like tokens.py, credentials.go, token_manager.py, etc.) are not incorrectly blocked

IntelliJ Implementation (IntelliJIde.kt)

  • Removed credentials.* and token.* patterns from the IntelliJ security ignore list to match the core TypeScript changes
  • Ensures consistent behavior across both IDE extensions

How to Apply

You can cherry-pick the commits or merge the branch into your PR:

git fetch https://github.com/continuedev/continue.git docs/update-pr-9085-tests
git cherry-pick dffe4c8 358863f

Or view the changes:

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Dec 9, 2025
@rossigee rossigee changed the title Fix overzealous security regexp. fix: overzealous 'token' and 'credential' security regexps Dec 9, 2025
rossigee and others added 5 commits December 11, 2025 03:16
@rossigee
Fix overzealous security regexp.
8c2a1ce
@rossigee
Fix overzealous security regexp.
998dfdd
@continue @rossigee
Update tests to reflect removed token.* and credentials.* patterns
0b6cf1e 
Remove test expectation for credentials.json which no longer matches after
removing credentials.* pattern. Add new tests to verify legitimate source
files (tokens.py, credentials.go, etc.) are not blocked.

Co-authored-by: nate <[email protected]>
@continue @rossigee
Apply same security pattern fix to IntelliJ implementation
99c988a 
Remove credentials.* and token.* patterns from IntelliJ security ignore
list to match the TypeScript core changes. This ensures consistent behavior
across both IDE extensions.

Co-authored-by: nate <[email protected]>
@rossigee
Test fix.
19f7a1a
@rossigee rossigee force-pushed the fix/overzealous-security-pattern branch from 19fece7 to 19f7a1a Compare December 10, 2025 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@RomneyDa RomneyDa RomneyDa requested changes

@Patrick-Erichsen Patrick-Erichsen Awaiting requested review from Patrick-Erichsen Patrick-Erichsen is a code owner automatically assigned from continuedev/continue-code-reviewers

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

size:S This PR changes 10-29 lines, ignoring generated files.

Projects

Issues and PRs
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rossigee @RomneyDa