HL7 FHIR IG Publisher Implementation Guide Publisher CLI GitHub Credentials Exposure Vulnerability

A vulnerability exists in the HL7 FHIR IG Publisher prior to version 1.8.9, where the IG Publisher CLI can unintentionally expose GitHub usernames and credentials. This occurs in continuous integration (CI) environments when the tool uses Git commands to fetch the repository URL. If the repository is cloned using a credentials-based URL, the full URL, including sensitive information, is incorporated into the generated Implementation Guide. This issue does not affect users who clone public repositories without credentials, such as those utilizing the auto-ig-build CI infrastructure.

Impact

The vulnerability allows for the exposure of GitHub usernames and credentials through the generated Implementation Guide, specifically in CI contexts where a credentials-based repository URL is used.

Remediation

Users should update to version 1.8.9 or the latest release. Alternatively, ensure that the IG repository does not include usernames or credentials in the 'origin' URL. This can be verified by running 'git remote origin url', which should return a URL devoid of sensitive information. If necessary, the IG Publisher CLI can be run with the '-repo' parameter to specify a URL that does not contain usernames, passwords, or tokens.