search

gitpython-developers / GitPython

GitPython is a python library used to interact with Git repositories.
http://gitpython.readthedocs.org
BSD 3-Clause "New" or "Revised" License
4.48k stars 897 forks source link

Command's DEBUG reveals username/password from URL #1927

Open zbika73 opened 1 month ago

zbika73 commented 1 month ago

DEBUG output from cmd.py module displays all parameters, including URL with username/password passed as part of URL.

Pay attention: some commands (like: clone) hide sensitive data:

DEBUG [cmd.py 1057] Popen(['git', 'clone', '-v', '--branch=repo_template', '--', 'https://*****:*****@bitbucket.company.com/scm/abc/deployment-repository.git', '/tmp/aca_clone_gj18o2n9'], cwd=/home/jenkins/workspace/abc/abc_wizard, stdin=None, shell=False, universal_newlines=True)

While Exception and other commands (like: remote add) do not hide:

DEBUG [cmd.py 1057] Popen(['git', 'remote', 'add', '--', 'origin','https://username:zOTU3O3!nk0b@bitbucket.company.com/scm/kafka/qaz-repository.git'], cwd=/tmp/aca_clone_gj18o2n9,stdin=None, shell=False, universal_newlines=False) ERROR [git_wrapper.py 511] Exception from git: stderr: 'fatal: unable to access 'https://username:zOTU3O3!nk0b@bitbucket.company.com/scm/kafka/qaz-repository.git/': URL using bad/illegal format or missing URL'

Byron commented 1 month ago

Thanks for reporting.

Could you also show the python code that triggers these? I have a suspicion.

In any case, there already is functionality to hide seemingly sensitive data, but it's based on knowing where the data is. If these debug lines are caused by repo.git.free_command() this wouldn't be the case.

If in doubt, that debug message can probably just be removed or downgraded to trace.

zbika73 commented 1 month ago

Our core code:

try:
    repo = Repo.init(clpath, initial_branch=brname)
    repo.git.add(all=True)
    repo.index.commit(commit_message)
    repo.create_remote('origin', url=repository_to)
    repo.git.push('-u', 'origin', f'HEAD:{brname}')
except GitCommandError as ex:
    errmsg = str(ex.stderr)
    errmsg = re.sub(r'(.*fatal: )(.*)\n', r'\2', errmsg).strip('\n').rstrip("'")
    logger.error(f"Exception from git: {errmsg}")

Mentioned clone call (from other place in our code) that hides credentials in DEBUG output:

cloned = Repo.clone_from(repository_from, clpath, branch=source_branch)

Byron commented 1 month ago

Thanks a lot! It looks like the create_remote() call is indeed provided by GitPython, and that it should ideally run the same obfuscation function that is also used in clone().

Further, one should probably review the public API and find all URL parameters, and assure that these are obfuscated in the log.