Skip to content

Command's DEBUG reveals username/password from URL #1927

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zbika73 opened this issue Jun 4, 2024 · 3 comments
Open

Command's DEBUG reveals username/password from URL #1927

zbika73 opened this issue Jun 4, 2024 · 3 comments
Labels
acknowledged help wanted

Comments

@zbika73
Copy link

zbika73 commented Jun 4, 2024

DEBUG output from cmd.py module displays all parameters, including URL with username/password passed as part of URL.

Pay attention: some commands (like: clone) hide sensitive data:

DEBUG [cmd.py 1057] Popen(['git', 'clone', '-v', '--branch=repo_template', '--', 'https://*****:*****@bitbucket.company.com/scm/abc/deployment-repository.git', '/tmp/aca_clone_gj18o2n9'], cwd=/home/jenkins/workspace/abc/abc_wizard, stdin=None, shell=False, universal_newlines=True)

While Exception and other commands (like: remote add) do not hide:

DEBUG [cmd.py 1057] Popen(['git', 'remote', 'add', '--', 'origin','https://username:[email protected]/scm/kafka/qaz-repository.git'], cwd=/tmp/aca_clone_gj18o2n9,stdin=None, shell=False, universal_newlines=False)
ERROR [git_wrapper.py 511] Exception from git: stderr: 'fatal: unable to access 'https://username:[email protected]/scm/kafka/qaz-repository.git/': URL using bad/illegal format or missing URL'

@zbika73 zbika73 changed the title Command DEBUG reveals username/password from URL Command's DEBUG reveals username/password from URL Jun 4, 2024
@Byron
Copy link
Member

Byron commented Jun 4, 2024

Thanks for reporting.

Could you also show the python code that triggers these? I have a suspicion.

In any case, there already is functionality to hide seemingly sensitive data, but it's based on knowing where the data is.
If these debug lines are caused by repo.git.free_command() this wouldn't be the case.

If in doubt, that debug message can probably just be removed or downgraded to trace.

@zbika73
Copy link
Author

zbika73 commented Jun 5, 2024
edited
Loading

Our core code:

try:
    repo = Repo.init(clpath, initial_branch=brname)
    repo.git.add(all=True)
    repo.index.commit(commit_message)
    repo.create_remote('origin', url=repository_to)
    repo.git.push('-u', 'origin', f'HEAD:{brname}')
except GitCommandError as ex:
    errmsg = str(ex.stderr)
    errmsg = re.sub(r'(.*fatal: )(.*)\n', r'\2', errmsg).strip('\n').rstrip("'")
    logger.error(f"Exception from git: {errmsg}")

Mentioned clone call (from other place in our code) that hides credentials in DEBUG output:

cloned = Repo.clone_from(repository_from, clpath, branch=source_branch)

@Byron
Copy link
Member

Byron commented Jun 5, 2024

Thanks a lot! It looks like the create_remote() call is indeed provided by GitPython, and that it should ideally run the same obfuscation function that is also used in clone().

Further, one should probably review the public API and find all URL parameters, and assure that these are obfuscated in the log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged help wanted
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Byron @zbika73