| << Back to previous view |
|
[QB-2483] Password exposed when error occurs using Git over HTTP(S)...
|
|
| Status: | Resolved |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 6.0.14 |
| Fix Version/s: | 6.0.22 |
| Type: | Bug | Priority: | Major |
| Reporter: | John Szakmeister | Assigned To: | Robin Shen |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
I feel like this bug has been fixed numerous time, yet it keeps popping up. :-( I found this in the step log on an instance of QB:
06:15:27,320 DEBUG - Executing command: git clone --no-checkout https://jszakmeister:******@github.com/neovim/neovim.git /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated 06:15:27,320 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated 06:15:27,324 DEBUG - Cloning into '/home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated'... 06:15:49,814 DEBUG - Executing command: git fetch --all 06:15:49,814 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated 06:15:49,816 DEBUG - Fetching origin 06:15:50,173 DEBUG - Executing command: git fetch origin refs/pull/2943/head 06:15:50,173 DEBUG - Command working directory: /home/quickbuild/buildagent/workspace/root/neovim/pull-requests-automated 06:17:57,739 ERROR - error: The requested URL returned error: 403 while accessing https://jszakmeister:6e0a047da7e1553ad811b727ed6beb6a1eef04c6@github.com/neovim/neovim.git/info/refs 06:17:57,739 ERROR - fatal: HTTP request failed 06:17:57,741 DEBUG - Saving scm rc file ... 06:17:57,745 DEBUG - Saving scm rc file ... 06:17:57,812 INFO - Executing post-execute action... 06:17:57,812 ERROR - Step 'master>buildall>build-node?testNode=linux-64>checkout' is failed: Failed to run command: git fetch origin refs/pull/2943/head Command return code: 128 Command error output: error: The requested URL returned error: 403 while accessing https://jszakmeister:******@github.com/neovim/neovim.git/info/refs fatal: HTTP request failed Note: I changed the token. Perhaps there's a better way to catch this stuff with some sort of filter to prevent passwords from being exposed? |
| Comments |
| Comment by Robin Shen [ 04/Jul/15 01:48 AM ] |
|
We did not realized that the git command itself can output full url containing password. This issue will be fixed in next patch release. A work around to avoid this is to put your password in a secret variable for instance "password", and specify your git password as: ${vars.getValue("password")}.
PS: it is somewhat difficult to implement a filter at low log level to mask out all passwords, as the log facility does not know which part of the text is a password. However if secret variables are used, we can track it at log level. For other situations, we have to deal case by case at command execution level. |
| Comment by John Szakmeister [ 10/Jul/15 09:59 AM ] |
|
For the filtering, I was thinking that urls for the form http(s)://username:password@example.com/ could have the password field obscured since it's a standard form.
If git is returning the password in the url, then how does putting it in a variable help anything? Wouldn't it be exposed just the same? FWIW, I didn't create the URL, I set the password field in the GitHub repo so that the status of the pull request can be updated. I'm not sure I have much choice in the matter. |
| Comment by John Szakmeister [ 10/Jul/15 09:59 AM ] |
| (sorry for the late response... I never saw an email saying the issue was commented on) |