Redact credentials from Git URLs in logs (#184)

* Redact git credentials from logs

Git URLs with authentication tokens were leaking in logs during
clone operations. Added GitLogger wrapper to automatically sanitize
credentials from all log output.

* Use URL parsing instead of regex

* Fix credential redaction in embedded URLs

The regex-based approach now correctly handles URLs embedded in error
messages. Simplified sanitizeGitData() to use general recursion for
all fields instead of field-specific logic.

* Use URL parsing instead of regex

Replaces regex pattern with simple string scanning to eliminate
ReDoS vulnerability while maintaining credential redaction.

* Fix formatting

* Improve credential redaction completeness

URL boundary detection now stops at structural delimiters
(quotes, brackets) to handle JSON/XML formats correctly.

GitLogger now sanitizes Error objects to prevent credential
leaks when error messages contain repository URLs.

Replace 'any' with Record<string, unknown> for type safety.

Author: ghostwriternr

.changeset/new-students-accept.md

@@ -0,0 +1,5 @@
+---
+'@cloudflare/sandbox': patch
+---
+
+Redact credentials from Git URLs in logs

.github/workflows/pullrequest.yml

@@ -120,8 +120,8 @@ jobs:
         with:
           context: .
           file: packages/sandbox/Dockerfile
-          platforms: linux/amd64  # Explicit single-arch for compatibility with release-amd64 cache
-          load: true  # Load into Docker daemon for local testing
+          platforms: linux/amd64 # Explicit single-arch for compatibility with release-amd64 cache
+          load: true # Load into Docker daemon for local testing
           tags: cloudflare/sandbox-test:${{ needs.unit-tests.outputs.version || '0.0.0' }}
           cache-from: |
             type=gha,scope=pr-${{ github.event.pull_request.number }}-amd64

.github/workflows/release.yml

@@ -119,7 +119,7 @@ jobs:
           context: .
           file: packages/sandbox/Dockerfile
           platforms: linux/amd64
-          push: false  # Don't push, just cache
+          push: false # Don't push, just cache
           cache-from: type=gha,scope=release-amd64
           cache-to: type=gha,mode=max,scope=release-amd64
           build-args: |
@@ -190,7 +190,7 @@ jobs:
           context: .
           file: packages/sandbox/Dockerfile
           platforms: linux/amd64
-          push: false  # Don't push, just cache
+          push: false # Don't push, just cache
           cache-from: type=gha,scope=release-amd64
           cache-to: type=gha,mode=max,scope=release-amd64
           build-args: |

CLAUDE.md

@@ -34,7 +34,7 @@ The Cloudflare Sandbox SDK enables secure, isolated code execution in containers
    - `CodeInterpreter`: High-level API for running Python/JavaScript with structured outputs
    - `proxyToSandbox()`: Request handler for preview URL routing
 
-2. **`@repo/shared` (packages/shared/)** - Shared types and error system
+2. **`@repo/shared` (packages/shared/)** - Shared utilities
    - Type definitions shared between SDK and container runtime
    - Centralized error handling and logging utilities
    - Not published to npm (internal workspace package)

CONTRIBUTING.md

@@ -15,17 +15,20 @@ Thank you for your interest in contributing to the Cloudflare Sandbox SDK! This
 
 1. Fork the repository to your GitHub account
 2. Clone your fork:
+
    ```bash
    git clone https://github.com/YOUR-USERNAME/sandbox-sdk.git
    cd sandbox-sdk
    ```
 
 3. Install dependencies:
+
    ```bash
    npm install
    ```
 
 4. Build the packages:
+
    ```bash
    npm run build
    ```
@@ -40,6 +43,7 @@ Thank you for your interest in contributing to the Cloudflare Sandbox SDK! This
 ### Making Changes
 
 1. Create a new branch for your changes:
+
    ```bash
    git checkout -b feat/your-feature-name
    # or
@@ -49,6 +53,7 @@ Thank you for your interest in contributing to the Cloudflare Sandbox SDK! This
 2. Make your changes following our coding standards (see CLAUDE.md)
 
 3. Run code quality checks:
+
    ```bash
    npm run check    # Linting + type checking
    npm run fix      # Auto-fix linting issues
@@ -73,6 +78,7 @@ Follow the [7 rules for great commit messages](https://cbea.ms/git-commit/):
 7. Use the body to explain what and why vs. how
 
 Example:
+
 ```
 Add session isolation for concurrent executions
 
@@ -90,11 +96,13 @@ npx changeset
 ```
 
 This will interactively guide you through:
+
 1. Selecting which packages to include
 2. Choosing the semantic version bump (`patch`, `minor`, or `major`)
 3. Writing a description of your changes
 
 Use semantic versioning:
+
 - `patch`: Bug fixes, minor improvements
 - `minor`: New features, non-breaking changes
 - `major`: Breaking changes
@@ -104,6 +112,7 @@ The changeset bot will comment on your PR if a changeset is needed.
 ## Submitting a Pull Request
 
 1. Push your branch to your fork:
+
    ```bash
    git push origin feat/your-feature-name
    ```
@@ -119,6 +128,7 @@ The changeset bot will comment on your PR if a changeset is needed.
 ### Review Process
 
 A maintainer will review your PR and may:
+
 - Request changes
 - Ask questions
 - Suggest improvements
@@ -135,12 +145,14 @@ We use Biome for linting and formatting. Key guidelines:
 - Write concise, readable code
 - Add comments for complex logic
 - Follow patterns in existing code
+- Use the provided logger (`this.logger.info()`) instead of `console.log()` in production code
 
 ## Testing
 
 ### Unit Tests
 
 Located in `packages/*/tests/`:
+
 - Test individual components in isolation
 - Mock external dependencies
 - Fast feedback loop
@@ -150,6 +162,7 @@ Run with: `npm test`
 ### E2E Tests
 
 Located in `tests/e2e/`:
+
 - Test full workflows against real Workers and containers
 - Require Docker
 - Slower but comprehensive

package-lock.json

@@ -1,5 +1,5 @@
 import type { Logger } from '@repo/shared';
-import { createLogger } from '@repo/shared';
+import { createLogger, GitLogger } from '@repo/shared';
 import { ExecuteHandler } from '../handlers/execute-handler';
 import { FileHandler } from '../handlers/file-handler';
 import { GitHandler } from '../handlers/git-handler';
@@ -96,6 +96,9 @@ export class Container {
     // Initialize SessionManager
     const sessionManager = new SessionManager(logger);
 
+    // Create git-specific logger that automatically sanitizes credentials
+    const gitLogger = new GitLogger(logger);
+
     // Initialize services
     const processService = new ProcessService(
       processStore,
@@ -108,7 +111,11 @@ export class Container {
       sessionManager
     );
     const portService = new PortService(portStore, securityAdapter, logger);
-    const gitService = new GitService(securityAdapter, logger, sessionManager);
+    const gitService = new GitService(
+      securityAdapter,
+      gitLogger,
+      sessionManager
+    );
     const interpreterService = new InterpreterService(logger);
 
     // Initialize handlers
@@ -117,7 +124,7 @@ export class Container {
     const fileHandler = new FileHandler(fileService, logger);
     const processHandler = new ProcessHandler(processService, logger);
     const portHandler = new PortHandler(portService, logger);
-    const gitHandler = new GitHandler(gitService, logger);
+    const gitHandler = new GitHandler(gitService, gitLogger);
     const interpreterHandler = new InterpreterHandler(
       interpreterService,
       logger