File-Stored credentials diffusing into GCM?

[ccoenen]

Version

2.3.2

Operating system

Windows

OS version or distribution

Windows 11

Git hosting provider(s)

Other - please describe below

Other hosting provider

It's a self-hosted gitlab, but I don't think this is important.

Can you access the remote repository directly in the browser?

Yes, I can access the repository

How to Reproduce

I have two credential helpers configured

>git config --get-all credential.helper
manager
store --file=F:/gitcredentials

For this test I made sure that these specific credentials are only in the file store, and not in GCM / WCM (windows credential manager).

I go into the repository that would make use of the https-credentials that are in F:/gitcredentials and do a git fetch. I will be asked for credentials by the default GUI (which I should not, because the credentials are in the file), but this is not my problem. I cancel that GUI, I do not enter my credentials there. The fetch fails (this is also not the main problem, even though it is unexpected).

the main problem follows

Checking the Windows Credential Manager shows new credentials for that domain?!** Somehow, my credentials made it from the file store to the GCM/WCM. The subsequent git fetch "just works", even if I remove the credentials file itself.

Actual behavior

as mentioned above: the actual behavious is: failing to fetch but somehow writing new credential information to GCM/WCM.

Expected behaviour

The two credential stores should be fully seperate in my opinion. I don't see why credentials stored somewhere else should make it into WCM/GCM? I also don't see information about this in the git credentials documentation, so I am not even sure if this intended behaviour.

[mohamadfaqani]

alireza wants to send you direct messages using Slack Connect

alireza @.) from @. is inviting you to connect.

Once you accept this invitation, you’ll be able to securely send each other messages from your own workspaces.

View Invitation [https://join.slack.com/shareDM/zt-26utqha4x-oz5~KdJi7lmTBQfJQdGIdg?x=x-t6040786159587-6179506322417]

Don’t want to hear from this person? Block all invitations [https://go.slack.com/slack-connect-ignore-confirm/zt-26utqha4x-oz5~KdJi7lmTBQfJQdGIdg] from alireza. Slack Connect makes working with people from other companies as fast and simple as working with your teammates. Collaborate in channels, share files, and send direct messages — all with Slack’s enterprise-grade security. Learn more [https://slack.com/connect]

[mohamadfaqani]

Confirm your email address to get started on Slack

Once you’ve confirmed that @.*** is your email address, we’ll help you find your Slack workspaces or create a new one.

📱 From your mobile device, tap the button below to confirm:

Confirm Email Address [https://go.slack.com/get-started/enQtNjE2NjgwMjg4MTM0Ny00ZTY1NmMzMDdiMDk1MzFjY2VkYTU3NTQ1Y2MwNjQ4NmIxZDkwZTM0MTljZmFhOWE2MjI2MTkwMDlhZjAzNjBh?e=cmVwbHkrQVVVMlZITEFJV1FMTU83N0lUVlM0Tk9ESzUyWFhFVkJOSEhITUdTQ1dJQHJlcGx5LmdpdGh1Yi5jb20%3D&i=default&m=slack&x=x-a6163974818949]

If you didn’t request this email, there’s nothing to worry about — you can safely ignore it.

[mohamadfaqani]

Welcome to Slack

Here are the details for your new Slack workspace, along with some tips to help you get started.

Workspace name: Reply

R

reply-dwl4103.slack.com []

Open Slack [https://reply-dwl4103.slack.com/x-p6166810724723-6189900269200-6169692708900/archives/C064Q7YMFPG] Tips for getting started

Invite teammates

Slack is made for teams. Invite people [https://reply-dwl4103.slack.com/x-p6166810724723-6189900269200-6169692708900/welcome/invite_members?utm_medium=email&utm_source=confirmation-new-creator] you frequently work or communicate with.

Create channels

Keep work organized in channels [https://reply-dwl4103.slack.com/x-p6166810724723-6189900269200-6169692708900/features/channels?utm_medium=email&utm_source=confirmation-new-creator] — organized spaces for everything related to a project, topic, or team.

Download Slack

For the best experience with Slack, download our apps [https://reply-dwl4103.slack.com/x-p6166810724723-6189900269200-6169692708900/downloads?utm_medium=email&utm_source=confirmation-new-creator&t=T064WPUMAM9] for desktop and mobile.

See more tips [https://reply-dwl4103.slack.com/x-p6166810724723-6189900269200-6169692708900/resources/using-slack/top-5-tips-for-getting-started-in-slack?utm_medium=email&utm_source=confirmation-new-creator]

If you have any questions as you’re getting started, drop us a note at @.*** We’re glad you’re here!

[mohamadfaqani]

hiii

[Robbyblair40]

Version

2.3.2

Operating system

Windows

OS version or distribution

Windows 11

Git hosting provider(s)

Other - please describe below

Other hosting provider

It's a self-hosted gitlab, but I don't think this is important.

Can you access the remote repository directly in the browser?

Yes, I can access the repository

How to Reproduce

I have two credential helpers configured

>git config --get-all credential.helper
manager
store --file=F:/gitcredentials

For this test I made sure that these specific credentials are only in the file store, and not in GCM / WCM (windows credential manager).

I go into the repository that would make use of the https-credentials that are in F:/gitcredentials and do a git fetch. I will be asked for credentials by the default GUI (which I should not, because the credentials are in the file), but this is not my problem. I cancel that GUI, I do not enter my credentials there. The fetch fails (this is also not the main problem, even though it is unexpected).

the main problem follows

Checking the Windows Credential Manager shows new credentials for that domain?!** Somehow, my credentials made it from the file store to the GCM/WCM. The subsequent git fetch "just works", even if I remove the credentials file itself.

Actual behavior

as mentioned above: the actual behavious is: failing to fetch but somehow writing new credential information to GCM/WCM.

Expected behaviour

The two credential stores should be fully seperate in my opinion. I don't see why credentials stored somewhere else should make it into WCM/GCM? I also don't see information about this in the git credentials documentation, so I am not even sure if this intended behaviour.