GitPython icon indicating copy to clipboard operation
GitPython copied to clipboard
verified publisher icon gitpython-developers

Command's DEBUG reveals username/password from URL

Open zbika73 opened this issue 1 year ago • 3 comments

DEBUG output from cmd.py module displays all parameters, including URL with username/password passed as part of URL.

Pay attention: some commands (like: clone) hide sensitive data:

DEBUG [cmd.py 1057] Popen(['git', 'clone', '-v', '--branch=repo_template', '--', 'https://*****:*****@bitbucket.company.com/scm/abc/deployment-repository.git', '/tmp/aca_clone_gj18o2n9'], cwd=/home/jenkins/workspace/abc/abc_wizard, stdin=None, shell=False, universal_newlines=True)

While Exception and other commands (like: remote add) do not hide:

DEBUG [cmd.py 1057] Popen(['git', 'remote', 'add', '--', 'origin','https://username:[email protected]/scm/kafka/qaz-repository.git'], cwd=/tmp/aca_clone_gj18o2n9,stdin=None, shell=False, universal_newlines=False) ERROR [git_wrapper.py 511] Exception from git: stderr: 'fatal: unable to access 'https://username:[email protected]/scm/kafka/qaz-repository.git/': URL using bad/illegal format or missing URL'

zbika73 avatar Jun 04 '24 20:06 zbika73

Thanks for reporting.

Could you also show the python code that triggers these? I have a suspicion.

In any case, there already is functionality to hide seemingly sensitive data, but it's based on knowing where the data is. If these debug lines are caused by repo.git.free_command() this wouldn't be the case.

If in doubt, that debug message can probably just be removed or downgraded to trace.

Byron avatar Jun 04 '24 20:06 Byron

Our core code:

try:
    repo = Repo.init(clpath, initial_branch=brname)
    repo.git.add(all=True)
    repo.index.commit(commit_message)
    repo.create_remote('origin', url=repository_to)
    repo.git.push('-u', 'origin', f'HEAD:{brname}')
except GitCommandError as ex:
    errmsg = str(ex.stderr)
    errmsg = re.sub(r'(.*fatal: )(.*)\n', r'\2', errmsg).strip('\n').rstrip("'")
    logger.error(f"Exception from git: {errmsg}")

Mentioned clone call (from other place in our code) that hides credentials in DEBUG output:

cloned = Repo.clone_from(repository_from, clpath, branch=source_branch)

zbika73 avatar Jun 05 '24 11:06 zbika73

Thanks a lot! It looks like the create_remote() call is indeed provided by GitPython, and that it should ideally run the same obfuscation function that is also used in clone().

Further, one should probably review the public API and find all URL parameters, and assure that these are obfuscated in the log.

Byron avatar Jun 05 '24 15:06 Byron