Closed alanbover closed 7 months ago
Please fill out the rest of the template. It would be good to know if this impacts the latest version
In case you are interested, we have code to avoid leaking passwords encoded in URLs: https://github.com/Pix4D/cogito/blob/master/github/url.go
This seems to duplicate https://github.com/runatlantis/atlantis/issues/4060
Community Note
Overview of the Issue
Atlantis can leaks Github credentials in logs. See an example of a log leaking some:
This happens because, when using a github user and token, the remote is being configured as
https://<GH_user>:<GH Token>@github.com/<org>/<repo>.git
, and logged git command errors that reference to this remote will end up accidentally leaking the credentials.Here we can see how the command error is directly logged https://github.com/runatlantis/atlantis/blob/1035d9263a687e6a43a102fa44030f3f4c93f579/server/events/working_dir.go#L188
Atlantis should parse the output first and figure out if the token is being leaked. In that case, it should redact it.
Reproduction Steps
I don't have specific instructions to reproduce the problem. The specific error we see (getting remote update failed: error: could not lock config file .git/config: File exists) seems to happen due to a non-parallelizable git operation, so I guess it happens when many plans are created for the same PR.
Logs
Environment details
Additional Context