History | Log In     View a printable version of the current page.  
Issue Details (XML | Word | Printable)

Key: QB-3303
Type: Improvement Improvement
Status: Closed Closed
Resolution: Won't Fix
Priority: Major Major
Assignee: Steve Luo
Reporter: Robin Shen
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
QuickBuild

Mask out git password in git config file

Created: 04/Dec/18 11:21 PM   Updated: 30/Apr/21 11:42 AM
Component/s: None
Affects Version/s: 8.0.28
Fix Version/s: None

Original Estimate: Unknown Remaining Estimate: Unknown Time Spent: Unknown


 All   Comments   Work Log   Change History      Sort Order:
Robin Shen [17/Jan/19 06:17 AM]
Currently git password is displayed in the config file, and customer does not like this behavior.

Steve Luo [09/May/19 09:09 AM]
When we checkout source code with http/https, the password can be found in .git/config file, this is by default the git behaviour.

So if this way is not what they want, user can checkout by ssh mode.

AlSt [30/Apr/21 11:35 AM]
I think this is still a topic and a way how to mitigate that is to create a script or any other binary with:

-----------------------------------------
#!/bin/bash
echo $GIT_PASSWORD
-----------------------------------------

and run the git command with the environment variables

GIT_ASKPASS=/path/to/askpass-script.sh
GIT_PASSWORD=<the password>

set

this way it will use the password supplied via the environment variable and not store it at all because it is no part of the URL

The benefit of using this approach is that the password is only visible in plaintext to the git process (and of course if you have the knowledge how to get the environment variables of another process, but at least it is not stored permanently)

Another even more secure way would be to have a logic to decrypt the password in the script and store the PW encrypted in GIT_PASSWORD, so the only way how to get the PW would be to read the memory of the git process and extract the PW from there somehow.

AlSt [30/Apr/21 11:38 AM]
One addition: I did not test these. The stack overflow entry here https://stackoverflow.com/questions/8536732/can-i-hold-git-credentials-in-environment-variables claims that the method I described also will store the PW in the config file. So this is something to test.

AlSt [30/Apr/21 11:42 AM]
I just tested this and it works as I described. The user is indeed stored in the config, but the password is not.