nitrocode
commented
8 months ago Please fill out the rest of the template. It would be good to know if this impacts the latest version
Closed alanbover closed 7 months ago
nitrocode
commented
8 months ago Please fill out the rest of the template. It would be good to know if this impacts the latest version
marco-m
commented
8 months ago In case you are interested, we have code to avoid leaking passwords encoded in URLs: https://github.com/Pix4D/cogito/blob/master/github/url.go
nnovaeshc
commented
7 months ago This seems to duplicate https://github.com/runatlantis/atlantis/issues/4060
Community Note
Overview of the Issue
Atlantis can leaks Github credentials in logs. See an example of a log leaking some:
This happens because, when using a github user and token, the remote is being configured as
https://<GH_user>:<GH Token>@github.com/<org>/<repo>.git, and logged git command errors that reference to this remote will end up accidentally leaking the credentials.Here we can see how the command error is directly logged https://github.com/runatlantis/atlantis/blob/1035d9263a687e6a43a102fa44030f3f4c93f579/server/events/working_dir.go#L188
Atlantis should parse the output first and figure out if the token is being leaked. In that case, it should redact it.
Reproduction Steps
I don't have specific instructions to reproduce the problem. The specific error we see (getting remote update failed: error: could not lock config file .git/config: File exists) seems to happen due to a non-parallelizable git operation, so I guess it happens when many plans are created for the same PR.
Logs
Environment details
Additional Context