search

kubernetes / git-sync

A sidecar app which clones a git repo and keeps it in sync with the upstream.
Apache License 2.0
2.14k stars 409 forks source link

Error msg exposes token in URL #851

Closed jameshearttech closed 6 months ago

jameshearttech commented 6 months ago

Successful sync logs show token as REDACTED.

$ docker run -it registry.k8s.io/git-sync/git-sync:v4.1.0 --repo=$REPO_GOOD --root=/git --link=link
INFO: detected pid 1, running init handler
{"logger":"","ts":"2023-12-13 21:44:27.713992","caller":{"file":"main.go","line":523},"level":0,"msg":"starting up","pid":11,"uid":65533,"gid":65533,"home":"/tmp","flags":["--add-user=false","--change-permissions=0","--cookie-file=false","--credential=[]","--depth=1","--exechook-backoff=3s","--exechook-timeout=30s","--git=git","--git-gc=always","--group-write=false","--help=false","--http-metrics=false","--http-pprof=false","--link=link","--man=false","--max-failures=0","--max-sync-failures=0","--one-time=false","--period=10s","--ref=HEAD","--repo=https://x-token-auth:REDACTED@bitbucket.org/example/repo.git","--root=/git","--ssh=false","--ssh-key-file=[/etc/git-secret/ssh]","--ssh-known-hosts=true","--ssh-known-hosts-file=/etc/git-secret/known_hosts","--stale-worktree-timeout=0s","--submodules=recursive","--sync-timeout=2m0s","--timeout=0","--v=-1","--verbose=0","--version=false","--wait=0","--webhook-backoff=3s","--webhook-method=POST","--webhook-success-status=200","--webhook-timeout=1s"]}
{"logger":"","ts":"2023-12-13 21:44:27.735489","caller":{"file":"main.go","line":1079},"level":0,"msg":"repo directory was empty or failed checks","path":"/git"}
{"logger":"","ts":"2023-12-13 21:44:27.735741","caller":{"file":"main.go","line":1089},"level":0,"msg":"initializing repo directory","path":"/git"}
{"logger":"","ts":"2023-12-13 21:44:28.786089","caller":{"file":"main.go","line":1639},"level":0,"msg":"update required","ref":"HEAD","local":"","remote":"7ef4fc62732cde2e8d8248f8ea4bef01264e2fab","syncCount":0}
{"logger":"","ts":"2023-12-13 21:44:33.184934","caller":{"file":"main.go","line":1690},"level":0,"msg":"updated successfully","ref":"HEAD","remote":"7ef4fc62732cde2e8d8248f8ea4bef01264e2fab","syncCount":1}

Error exposes token (main.go:784).

$ docker run -it registry.k8s.io/git-sync/git-sync:v4.1.0 --repo=$REPO_BAD --root=/git --link=link
INFO: detected pid 1, running init handler
{"logger":"","ts":"2023-12-13 21:45:38.868352","caller":{"file":"main.go","line":523},"level":0,"msg":"starting up","pid":13,"uid":65533,"gid":65533,"home":"/tmp","flags":["--add-user=false","--change-permissions=0","--cookie-file=false","--credential=[]","--depth=1","--exechook-backoff=3s","--exechook-timeout=30s","--git=git","--git-gc=always","--group-write=false","--help=false","--http-metrics=false","--http-pprof=false","--link=link","--man=false","--max-failures=0","--max-sync-failures=0","--one-time=false","--period=10s","--ref=HEAD","--repo=https://x-token-auth:REDACTED@bitbucket.org/example/repo.git","--root=/git","--ssh=false","--ssh-key-file=[/etc/git-secret/ssh]","--ssh-known-hosts=true","--ssh-known-hosts-file=/etc/git-secret/known_hosts","--stale-worktree-timeout=0s","--submodules=recursive","--sync-timeout=2m0s","--timeout=0","--v=-1","--verbose=0","--version=false","--wait=0","--webhook-backoff=3s","--webhook-method=POST","--webhook-success-status=200","--webhook-timeout=1s"]}
{"logger":"","ts":"2023-12-13 21:45:38.880327","caller":{"file":"main.go","line":1079},"level":0,"msg":"repo directory was empty or failed checks","path":"/git"}
{"logger":"","ts":"2023-12-13 21:45:38.880423","caller":{"file":"main.go","line":1089},"level":0,"msg":"initializing repo directory","path":"/git"}
{"logger":"","ts":"2023-12-13 21:45:39.799373","caller":{"file":"main.go","line":784},"msg":"too many failures, aborting","error":"Run(git ls-remote -q https://x-token-auth:this-is-not-a-valid-token@bitbucket.org/example/repo.git HEAD HEAD^{}): exit status 128: { stdout: \"\", stderr: \"remote: Invalid credentials\\nfatal: Authentication failed for 'https://bitbucket.org/example/repo.git/'\" }","failCount":1}
thockin commented 6 months ago

Can you instead pass the token via the GITSYNC_PASSWORD env var or the --password-file? That's going to be safer, for sure. That said, there are other logs that emit the value of --repo, which need to redact, but it's not always clear that they need to (e.g. -v 5 emits all exec'ed commands).

If you run with -v 3 I think you'll see some.

thockin commented 6 months ago

https://github.com/kubernetes/git-sync/pull/852

thockin commented 6 months ago

Try that?

jameshearttech commented 6 months ago

@thockin I removed the username and password (i.e., token) from the repo URL. I specified the username x-token-auth using the --username parameter. I specified the password using the GITSYNC_PASSWORD env var. Thank you for the recommendation!