Skip to content

fetchhead: strip credentials from remote URL #5373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ethomson merged 1 commit into from
Feb 1, 2020
Merged

fetchhead: strip credentials from remote URL #5373

ethomson merged 1 commit into from
Feb 1, 2020

Conversation

@pks-t
Copy link
Member

@pks-t pks-t commented Jan 31, 2020

If fetching from an anonymous remote via its URL, then the URL gets
written into the FETCH_HEAD reference. This is mainly done to give
valuable context to some commands, like for example git-merge(1), which
will put the URL into the generated MERGE_MSG. As a result, what gets
written into FETCH_HEAD may become public in some cases. This is
especially important considering that URLs may contain credentials, e.g.
when cloning 'https://foo:bar@example.com/repo' we persist the complete
URL into FETCH_HEAD and put it without any kind of sanitization into the
MERGE_MSG. This is obviously bad, as your login data has now just leaked
as soon as you do git-push(1).

When writing the URL into FETCH_HEAD, upstream git does strip
credentials first. Let's do the same by trying to parse the remote URL
as a "real" URL, removing any credentials and then re-formatting the
URL. In case this fails, e.g. when it's a file path or not a valid URL,
we just fall back to using the URL as-is without any sanitization. Add
tests to verify our behaviour.

May fix #5370

@pks-t pks-t mentioned this pull request Jan 31, 2020
Closed
@pks-t
Copy link
Member Author

pks-t commented Jan 31, 2020

/rebuild

@libgit2-azure-pipelines
Copy link

libgit2-azure-pipelines bot commented Jan 31, 2020

Sorry @pks-t, an error occurred while trying to requeue the build.

@pks-t pks-t force-pushed the pks/fetchhead-strip-creds branch from 54ef4b6 to 93a9044 Compare January 31, 2020 14:25
@pks-t
fetchhead: strip credentials from remote URL
93a9044 
If fetching from an anonymous remote via its URL, then the URL gets
written into the FETCH_HEAD reference. This is mainly done to give
valuable context to some commands, like for example git-merge(1), which
will put the URL into the generated MERGE_MSG. As a result, what gets
written into FETCH_HEAD may become public in some cases. This is
especially important considering that URLs may contain credentials, e.g.
when cloning 'https://foo:bar@example.com/repo' we persist the complete
URL into FETCH_HEAD and put it without any kind of sanitization into the
MERGE_MSG. This is obviously bad, as your login data has now just leaked
as soon as you do git-push(1).

When writing the URL into FETCH_HEAD, upstream git does strip
credentials first. Let's do the same by trying to parse the remote URL
as a "real" URL, removing any credentials and then re-formatting the
URL. In case this fails, e.g. when it's a file path or not a valid URL,
we just fall back to using the URL as-is without any sanitization. Add
tests to verify our behaviour.
@ethomson ethomson merged commit 5597517 into libgit2:master Feb 1, 2020
@implausible implausible mentioned this pull request Feb 26, 2020
Closed
@pks-t pks-t mentioned this pull request Mar 26, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ethomson ethomson ethomson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Merge msg may contain password

2 participants

@pks-t @ethomson