Credentials not needed from localhost

[Nahiiko]

Hi,

Is it normal that I'm able to clone a private repo without any credentials using git clone http://192.168.X.XXX:5555/git/test/testrepo.git ? Seems quite insecure to me.

It is working as intended (or so it seems) if I try git clone https://gitness.mywebsite.com/git/test/testrepo.git meaning I cannot clone without the credentials.

I tried using https (just in case that was the reason somehow) didn't change anything, it seems even using the flag GITNESS_HTTP_PROTO=https didn't change anything ? I could still access the instance using http only, and https did not resolve.

so three questions arise:

• Why isn't the https flag working (or so it seems)
• Would a working https config enforce the credentials usage ?
• Why does the issue exist in the first place, shouldn't credentials be required all the time ?

My docker-compose:

name: gitness services: gitness: ports:

• 5555:3000 volumes:
• /volume1/docker/gitness/data:/data container_name: gitness restart: always image: harness/gitness environment:
  • GITNESS_USER_SIGNUP_ENABLED=false
  • GITNESS_URL_BASE=https://gitness.mywebsite.com
  • GITNESS_ENCRYPTER_SECRET=myencryptionkey

[bradrydzewski]

Why isn't the https flag working (or so it seems)

when you set the https flag, you are telling gitness that you have installed gitness behind a reverse proxy / load balancer with https termination enabled. https://docs.gitness.com/installation/ssl

Would a working https config enforce the credentials usage

no, https has no bearing on whether or not credentials are required to clone

Why does the issue exist in the first place, shouldn't credentials be required all the time ?

It shouldn't exist, and would be a regression if it does. Credentials should always be required for cloning private repositories. I've forwarded this issue to our engineers and asked them to research further. They should have an answer shortly.

[hitesharinga]

Hey @Nahiiko,

Could you verify if the repository is set to public? On the repository listing page, each repository is labeled as either public or private.

If it's private, please delete the token from the profile page and attempt the action again.

[Nahiiko]

I think I was able to reproduce (although I'm unsure)

It seems this is the process:

• create a new project
• create repo1 (private, generate a token) -> git pull with credentials
• create repo2 (private, don't generate any token) -> git pull -> here there seems to be the bug I described in first post

Unless it's on purpose that credentials are shared across Repos in the same Project ? This might be the issue here, would also explain why the behavior is correct over the proxy (the credentials are probably saved on my end on a per-domain basis)

[hitesharinga]

Hey @Nahiiko ,

Credentials are shared across Repos and projects.

[bradrydzewski]

Thanks @Nahiiko for providing additional details and thanks @hitesharinga for jumping in to troubleshoot.

Similar to a GitHub personal token or Gitlab personal token, your Gitness personal token is tied to your user account. This means the token can be used to clone any repository to which your account has access. It sounds like this has been clarified, so closing. We can re-open if needed.

[Nahiiko]

Alright perfect, thanks for helping out !