* [PATCH] clone/fetch: anonymize URLs in the reflog @ 2020-06-01 19:20 Johannes Schindelin via GitGitGadget 2020-06-01 21:47 ` Jeff King 2020-06-04 20:08 ` [PATCH v2] " Johannes Schindelin via GitGitGadget 0 siblings, 2 replies; 5+ messages in thread From: Johannes Schindelin via GitGitGadget @ 2020-06-01 19:20 UTC (permalink / raw) To: git; +Cc: Johannes Schindelin, Johannes Schindelin From: Johannes Schindelin <johannes.schindelin@gmx.de> Even if we strongly discourage putting credentials into the URLs passed via the command-line, there _is_ support for that, and users _do_ do that. Let's scrub them before writing them to the reflog. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> --- Anonymize URLs in the reflog This came up in an internal audit, but we do not consider this to be a big deal: the reflog is local and not really shared with anybody. Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-797%2Fdscho%2Fanonymize-clone-reflog-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-797/dscho/anonymize-clone-reflog-v1 Pull-Request: https://github.com/git/git/pull/797 builtin/clone.c | 10 ++++++---- builtin/fetch.c | 9 +++++++-- t/t5541-http-push-smart.sh | 15 +++++++++++++++ 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/builtin/clone.c b/builtin/clone.c index 1ad26f4d8c8..5fe637a6702 100644 --- a/builtin/clone.c +++ b/builtin/clone.c @@ -938,7 +938,7 @@ static int path_exists(const char *path) int cmd_clone(int argc, const char **argv, const char *prefix) { int is_bundle = 0, is_local; - const char *repo_name, *repo, *work_tree, *git_dir; + const char *repo_name, *repo, *display_repo, *work_tree, *git_dir; char *path, *dir; int dest_exists; const struct ref *refs, *remote_head; @@ -993,11 +993,13 @@ int cmd_clone(int argc, const char **argv, const char *prefix) path = get_repo_path(repo_name, &is_bundle); if (path) - repo = absolute_pathdup(repo_name); + display_repo = repo = absolute_pathdup(repo_name); else if (!strchr(repo_name, ':')) die(_("repository '%s' does not exist"), repo_name); - else + else { repo = repo_name; + display_repo = transport_anonymize_url(repo); + } /* no need to be strict, transport_set_option() will validate it again */ if (option_depth && atoi(option_depth) < 1) @@ -1014,7 +1016,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix) die(_("destination path '%s' already exists and is not " "an empty directory."), dir); - strbuf_addf(&reflog_msg, "clone: from %s", repo); + strbuf_addf(&reflog_msg, "clone: from %s", display_repo); if (option_bare) work_tree = NULL; diff --git a/builtin/fetch.c b/builtin/fetch.c index bf6bab80fab..d58b7572114 100644 --- a/builtin/fetch.c +++ b/builtin/fetch.c @@ -1765,8 +1765,13 @@ int cmd_fetch(int argc, const char **argv, const char *prefix) /* Record the command line for the reflog */ strbuf_addstr(&default_rla, "fetch"); - for (i = 1; i < argc; i++) - strbuf_addf(&default_rla, " %s", argv[i]); + for (i = 1; i < argc; i++) { + /* This handles non-URLs gracefully */ + char *anon = transport_anonymize_url(argv[i]); + + strbuf_addf(&default_rla, " %s", anon); + free(anon); + } fetch_config_from_gitmodules(&submodule_fetch_jobs_config, &recurse_submodules); diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index 23be8ce92d6..2d60381a5e7 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -456,6 +456,21 @@ test_expect_success 'push status output scrubs password' ' grep "^To $HTTPD_URL/smart/test_repo.git" status ' +test_expect_success 'clone/fetch scrubs password from reflogs' ' + cd "$ROOT_PATH" && + git clone "$HTTPD_URL_USER_PASS/smart/test_repo.git" \ + reflog-test && + cd reflog-test && + test_commit prepare-for-force-fetch && + git switch -c away && + git fetch "$HTTPD_URL_USER_PASS/smart/test_repo.git" \ + +master:master && + # should have been scrubbed down to vanilla URL + git log -g master >reflog && + grep "$HTTPD_URL" reflog && + ! grep "$HTTPD_URL_USER_PASS" reflog +' + test_expect_success 'colorize errors/hints' ' cd "$ROOT_PATH"/test_repo_clone && test_must_fail git -c color.transport=always -c color.advice=always \ base-commit: af6b65d45ef179ed52087e80cb089f6b2349f4ec -- gitgitgadget ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] clone/fetch: anonymize URLs in the reflog 2020-06-01 19:20 [PATCH] clone/fetch: anonymize URLs in the reflog Johannes Schindelin via GitGitGadget @ 2020-06-01 21:47 ` Jeff King 2020-06-02 16:55 ` Junio C Hamano 2020-06-04 20:08 ` [PATCH v2] " Johannes Schindelin via GitGitGadget 1 sibling, 1 reply; 5+ messages in thread From: Jeff King @ 2020-06-01 21:47 UTC (permalink / raw) To: Johannes Schindelin via GitGitGadget; +Cc: git, Johannes Schindelin On Mon, Jun 01, 2020 at 07:20:02PM +0000, Johannes Schindelin via GitGitGadget wrote: > From: Johannes Schindelin <johannes.schindelin@gmx.de> > > Even if we strongly discourage putting credentials into the URLs passed > via the command-line, there _is_ support for that, and users _do_ do > that. > > Let's scrub them before writing them to the reflog. Good idea. > This came up in an internal audit, but we do not consider this to be a > big deal: the reflog is local and not really shared with anybody. Agreed. > builtin/clone.c | 10 ++++++---- > builtin/fetch.c | 9 +++++++-- > t/t5541-http-push-smart.sh | 15 +++++++++++++++ The patch itself looks very neatly done. > @@ -993,11 +993,13 @@ int cmd_clone(int argc, const char **argv, const char *prefix) > > path = get_repo_path(repo_name, &is_bundle); > if (path) > - repo = absolute_pathdup(repo_name); > + display_repo = repo = absolute_pathdup(repo_name); > else if (!strchr(repo_name, ':')) > die(_("repository '%s' does not exist"), repo_name); > - else > + else { > repo = repo_name; > + display_repo = transport_anonymize_url(repo); > + } Not introduced by your patch, but I had to read this a few times to make sure we always end up with repo and display_repo set. IMHO it would be easier to read as: if (this) { repo = ...; display_repo = ...; } else if (that) { repo = ...; display_repo = ...; } else { die(...); } instead of sticking the die() in the middle. Maybe just personal preference, though. :) > + # should have been scrubbed down to vanilla URL > + git log -g master >reflog && > + grep "$HTTPD_URL" reflog && > + ! grep "$HTTPD_URL_USER_PASS" reflog > +' And you make sure we retain the username. Nice. -Peff ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] clone/fetch: anonymize URLs in the reflog 2020-06-01 21:47 ` Jeff King @ 2020-06-02 16:55 ` Junio C Hamano 0 siblings, 0 replies; 5+ messages in thread From: Junio C Hamano @ 2020-06-02 16:55 UTC (permalink / raw) To: Jeff King; +Cc: Johannes Schindelin via GitGitGadget, git, Johannes Schindelin Jeff King <peff@peff.net> writes: > On Mon, Jun 01, 2020 at 07:20:02PM +0000, Johannes Schindelin via GitGitGadget wrote: > >> From: Johannes Schindelin <johannes.schindelin@gmx.de> >> >> Even if we strongly discourage putting credentials into the URLs passed >> via the command-line, there _is_ support for that, and users _do_ do >> that. >> >> Let's scrub them before writing them to the reflog. > > Good idea. > >> This came up in an internal audit, but we do not consider this to be a >> big deal: the reflog is local and not really shared with anybody. > > Agreed. Nice. >> builtin/clone.c | 10 ++++++---- >> builtin/fetch.c | 9 +++++++-- >> t/t5541-http-push-smart.sh | 15 +++++++++++++++ > > The patch itself looks very neatly done. > >> @@ -993,11 +993,13 @@ int cmd_clone(int argc, const char **argv, const char *prefix) >> >> path = get_repo_path(repo_name, &is_bundle); >> if (path) >> - repo = absolute_pathdup(repo_name); >> + display_repo = repo = absolute_pathdup(repo_name); >> else if (!strchr(repo_name, ':')) >> die(_("repository '%s' does not exist"), repo_name); >> - else >> + else { >> repo = repo_name; >> + display_repo = transport_anonymize_url(repo); >> + } > > Not introduced by your patch, but I had to read this a few times to make > sure we always end up with repo and display_repo set. IMHO it would be > easier to read as: > > if (this) { > repo = ...; > display_repo = ...; > } else if (that) { > repo = ...; > display_repo = ...; > } else { > die(...); > } > > instead of sticking the die() in the middle. Maybe just personal > preference, though. :) For a if/elseif cascade of few-liner blocks each, I do not think it would matter, but if a block were larger, having the die() case at the beginning or at the end would indeed make it easier to spot any anomalies. >> + # should have been scrubbed down to vanilla URL >> + git log -g master >reflog && >> + grep "$HTTPD_URL" reflog && >> + ! grep "$HTTPD_URL_USER_PASS" reflog >> +' > > And you make sure we retain the username. Nice. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2] clone/fetch: anonymize URLs in the reflog 2020-06-01 19:20 [PATCH] clone/fetch: anonymize URLs in the reflog Johannes Schindelin via GitGitGadget 2020-06-01 21:47 ` Jeff King @ 2020-06-04 20:08 ` Johannes Schindelin via GitGitGadget 2020-06-04 20:30 ` Junio C Hamano 1 sibling, 1 reply; 5+ messages in thread From: Johannes Schindelin via GitGitGadget @ 2020-06-04 20:08 UTC (permalink / raw) To: git; +Cc: Johannes Schindelin, Johannes Schindelin From: Johannes Schindelin <johannes.schindelin@gmx.de> Even if we strongly discourage putting credentials into the URLs passed via the command-line, there _is_ support for that, and users _do_ do that. Let's scrub them before writing them to the reflog. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> --- Anonymize URLs in the reflog This came up in an internal audit, but we do not consider this to be a big deal: the reflog is local and not really shared with anybody. Changes since v1: * Changed the if...else if...else cadence to move the die() to the last arm * Stopped the memory leak of display_repo (allocated by transport_anonymize_url()) Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-797%2Fdscho%2Fanonymize-clone-reflog-v2 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-797/dscho/anonymize-clone-reflog-v2 Pull-Request: https://github.com/git/git/pull/797 Range-diff vs v1: 1: 11c0d47c95e ! 1: 933a7353847 clone/fetch: anonymize URLs in the reflog @@ Commit message Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> ## builtin/clone.c ## -@@ builtin/clone.c: static int path_exists(const char *path) - int cmd_clone(int argc, const char **argv, const char *prefix) +@@ builtin/clone.c: int cmd_clone(int argc, const char **argv, const char *prefix) { int is_bundle = 0, is_local; -- const char *repo_name, *repo, *work_tree, *git_dir; -+ const char *repo_name, *repo, *display_repo, *work_tree, *git_dir; - char *path, *dir; + const char *repo_name, *repo, *work_tree, *git_dir; +- char *path, *dir; ++ char *path, *dir, *display_repo = NULL; int dest_exists; const struct ref *refs, *remote_head; + const struct ref *remote_head_points_at; @@ builtin/clone.c: int cmd_clone(int argc, const char **argv, const char *prefix) - path = get_repo_path(repo_name, &is_bundle); if (path) -- repo = absolute_pathdup(repo_name); -+ display_repo = repo = absolute_pathdup(repo_name); - else if (!strchr(repo_name, ':')) - die(_("repository '%s' does not exist"), repo_name); + repo = absolute_pathdup(repo_name); +- else if (!strchr(repo_name, ':')) +- die(_("repository '%s' does not exist"), repo_name); - else -+ else { ++ else if (strchr(repo_name, ':')) { repo = repo_name; + display_repo = transport_anonymize_url(repo); -+ } ++ } else ++ die(_("repository '%s' does not exist"), repo_name); /* no need to be strict, transport_set_option() will validate it again */ if (option_depth && atoi(option_depth) < 1) @@ builtin/clone.c: int cmd_clone(int argc, const char **argv, const char *prefix) "an empty directory."), dir); - strbuf_addf(&reflog_msg, "clone: from %s", repo); -+ strbuf_addf(&reflog_msg, "clone: from %s", display_repo); ++ strbuf_addf(&reflog_msg, "clone: from %s", ++ display_repo ? display_repo : repo); ++ free(display_repo); if (option_bare) work_tree = NULL; builtin/clone.c | 13 ++++++++----- builtin/fetch.c | 9 +++++++-- t/t5541-http-push-smart.sh | 15 +++++++++++++++ 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/builtin/clone.c b/builtin/clone.c index 1ad26f4d8c8..002d23ab0a2 100644 --- a/builtin/clone.c +++ b/builtin/clone.c @@ -939,7 +939,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix) { int is_bundle = 0, is_local; const char *repo_name, *repo, *work_tree, *git_dir; - char *path, *dir; + char *path, *dir, *display_repo = NULL; int dest_exists; const struct ref *refs, *remote_head; const struct ref *remote_head_points_at; @@ -994,10 +994,11 @@ int cmd_clone(int argc, const char **argv, const char *prefix) path = get_repo_path(repo_name, &is_bundle); if (path) repo = absolute_pathdup(repo_name); - else if (!strchr(repo_name, ':')) - die(_("repository '%s' does not exist"), repo_name); - else + else if (strchr(repo_name, ':')) { repo = repo_name; + display_repo = transport_anonymize_url(repo); + } else + die(_("repository '%s' does not exist"), repo_name); /* no need to be strict, transport_set_option() will validate it again */ if (option_depth && atoi(option_depth) < 1) @@ -1014,7 +1015,9 @@ int cmd_clone(int argc, const char **argv, const char *prefix) die(_("destination path '%s' already exists and is not " "an empty directory."), dir); - strbuf_addf(&reflog_msg, "clone: from %s", repo); + strbuf_addf(&reflog_msg, "clone: from %s", + display_repo ? display_repo : repo); + free(display_repo); if (option_bare) work_tree = NULL; diff --git a/builtin/fetch.c b/builtin/fetch.c index bf6bab80fab..d58b7572114 100644 --- a/builtin/fetch.c +++ b/builtin/fetch.c @@ -1765,8 +1765,13 @@ int cmd_fetch(int argc, const char **argv, const char *prefix) /* Record the command line for the reflog */ strbuf_addstr(&default_rla, "fetch"); - for (i = 1; i < argc; i++) - strbuf_addf(&default_rla, " %s", argv[i]); + for (i = 1; i < argc; i++) { + /* This handles non-URLs gracefully */ + char *anon = transport_anonymize_url(argv[i]); + + strbuf_addf(&default_rla, " %s", anon); + free(anon); + } fetch_config_from_gitmodules(&submodule_fetch_jobs_config, &recurse_submodules); diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index 23be8ce92d6..2d60381a5e7 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -456,6 +456,21 @@ test_expect_success 'push status output scrubs password' ' grep "^To $HTTPD_URL/smart/test_repo.git" status ' +test_expect_success 'clone/fetch scrubs password from reflogs' ' + cd "$ROOT_PATH" && + git clone "$HTTPD_URL_USER_PASS/smart/test_repo.git" \ + reflog-test && + cd reflog-test && + test_commit prepare-for-force-fetch && + git switch -c away && + git fetch "$HTTPD_URL_USER_PASS/smart/test_repo.git" \ + +master:master && + # should have been scrubbed down to vanilla URL + git log -g master >reflog && + grep "$HTTPD_URL" reflog && + ! grep "$HTTPD_URL_USER_PASS" reflog +' + test_expect_success 'colorize errors/hints' ' cd "$ROOT_PATH"/test_repo_clone && test_must_fail git -c color.transport=always -c color.advice=always \ base-commit: af6b65d45ef179ed52087e80cb089f6b2349f4ec -- gitgitgadget ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] clone/fetch: anonymize URLs in the reflog 2020-06-04 20:08 ` [PATCH v2] " Johannes Schindelin via GitGitGadget @ 2020-06-04 20:30 ` Junio C Hamano 0 siblings, 0 replies; 5+ messages in thread From: Junio C Hamano @ 2020-06-04 20:30 UTC (permalink / raw) To: Johannes Schindelin via GitGitGadget; +Cc: git, Johannes Schindelin "Johannes Schindelin via GitGitGadget" <gitgitgadget@gmail.com> writes: > diff --git a/builtin/clone.c b/builtin/clone.c > index 1ad26f4d8c8..002d23ab0a2 100644 > --- a/builtin/clone.c > +++ b/builtin/clone.c > @@ -939,7 +939,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix) > { > int is_bundle = 0, is_local; > const char *repo_name, *repo, *work_tree, *git_dir; > - char *path, *dir; > + char *path, *dir, *display_repo = NULL; > int dest_exists; > const struct ref *refs, *remote_head; > const struct ref *remote_head_points_at; > @@ -994,10 +994,11 @@ int cmd_clone(int argc, const char **argv, const char *prefix) > path = get_repo_path(repo_name, &is_bundle); > if (path) > repo = absolute_pathdup(repo_name); > - else if (!strchr(repo_name, ':')) > - die(_("repository '%s' does not exist"), repo_name); > - else > + else if (strchr(repo_name, ':')) { > repo = repo_name; > + display_repo = transport_anonymize_url(repo); > + } else > + die(_("repository '%s' does not exist"), repo_name); > > /* no need to be strict, transport_set_option() will validate it again */ > if (option_depth && atoi(option_depth) < 1) > @@ -1014,7 +1015,9 @@ int cmd_clone(int argc, const char **argv, const char *prefix) > die(_("destination path '%s' already exists and is not " > "an empty directory."), dir); > > - strbuf_addf(&reflog_msg, "clone: from %s", repo); > + strbuf_addf(&reflog_msg, "clone: from %s", > + display_repo ? display_repo : repo); > + free(display_repo); The new patch is easier to see because display_repo becomes non NULL only when anonymization was necessary and done. Makes sense. Will queue. Thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-06-04 20:30 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-01 19:20 [PATCH] clone/fetch: anonymize URLs in the reflog Johannes Schindelin via GitGitGadget 2020-06-01 21:47 ` Jeff King 2020-06-02 16:55 ` Junio C Hamano 2020-06-04 20:08 ` [PATCH v2] " Johannes Schindelin via GitGitGadget 2020-06-04 20:30 ` Junio C Hamano
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).