[#QB-2483] Password exposed when error occurs using Git over HTTP(S)...

QuickBuild

Password exposed when error occurs using Git over HTTP(S)...

Created: 03/Jul/15 11:15 AM Updated: 11/Jul/15 12:43 AM

Component/s:

None

Affects Version/s:

6.0.14

Fix Version/s:

6.0.22

Original Estimate:

Unknown

Remaining Estimate:

Unknown

Time Spent:

Unknown

Description

« Hide

I feel like this bug has been fixed numerous time, yet it keeps popping up. :-( I found this in the step log on an instance of QB:

06:15:27,320 DEBUG - Executing command: git clone --no-checkout https://jszakmeister:******@github.com/neovim/neovim.git /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated
06:15:27,320 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated
06:15:27,324 DEBUG - Cloning into '/home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated'...
06:15:49,814 DEBUG - Executing command: git fetch --all
06:15:49,814 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated
06:15:49,816 DEBUG - Fetching origin
06:15:50,173 DEBUG - Executing command: git fetch origin refs/pull/2943/head
06:15:50,173 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated
06:17:57,739 ERROR - error: The requested URL returned error: 403 while accessing https://jszakmeister:6e0a047da7e1553ad811b727ed6beb6a1eef04c6@github.com/neovim/neovim.git/info/refs
06:17:57,739 ERROR - fatal: HTTP request failed
06:17:57,741 DEBUG - Saving scm rc file ...
06:17:57,745 DEBUG - Saving scm rc file ...
06:17:57,812 INFO - Executing post-execute action...
06:17:57,812 ERROR - Step 'master>buildall>build-node?testNode=linux-64>checkout' is failed: Failed to run command: git fetch origin refs/pull/2943/head
Command return code: 128
Command error output: error: The requested URL returned error: 403 while accessing https://jszakmeister:******@github.com/neovim/neovim.git/info/refs
fatal: HTTP request failed

Note: I changed the token. Perhaps there's a better way to catch this stuff with some sort of filter to prevent passwords from being exposed?

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Robin Shen [04/Jul/15 01:48 AM]

We did not realized that the git command itself can output full url containing password. This issue will be fixed in next patch release. A work around to avoid this is to put your password in a secret variable for instance "password", and specify your git password as: ${vars.getValue("password")}.

PS: it is somewhat difficult to implement a filter at low log level to mask out all passwords, as the log facility does not know which part of the text is a password. However if secret variables are used, we can track it at log level. For other situations, we have to deal case by case at command execution level.

[ Permlink | « Hide ]

John Szakmeister [10/Jul/15 09:59 AM]

For the filtering, I was thinking that urls for the form http(s)://username:password@example.com/ could have the password field obscured since it's a standard form.

If git is returning the password in the url, then how does putting it in a variable help anything? Wouldn't it be exposed just the same? FWIW, I didn't create the URL, I set the password field in the GitHub repo so that the status of the pull request can be updated. I'm not sure I have much choice in the matter.

[ Permlink | « Hide ]

John Szakmeister [10/Jul/15 09:59 AM]

(sorry for the late response... I never saw an email saying the issue was commented on)