| << Back to previous view |
|
[QB-3303] Mask out git password in git config file
|
|
| Status: | Closed |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 8.0.28 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major |
| Reporter: | Robin Shen | Assigned To: | Steve Luo |
| Resolution: | Won't Fix | Votes: | 1 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Comments |
| Comment by Robin Shen [ 17/Jan/19 06:17 AM ] |
| Currently git password is displayed in the config file, and customer does not like this behavior. |
| Comment by Steve Luo [ 09/May/19 09:09 AM ] |
|
When we checkout source code with http/https, the password can be found in .git/config file, this is by default the git behaviour.
So if this way is not what they want, user can checkout by ssh mode. |
| Comment by AlSt [ 30/Apr/21 11:35 AM ] |
|
I think this is still a topic and a way how to mitigate that is to create a script or any other binary with:
----------------------------------------- #!/bin/bash echo $GIT_PASSWORD ----------------------------------------- and run the git command with the environment variables GIT_ASKPASS=/path/to/askpass-script.sh GIT_PASSWORD=<the password> set this way it will use the password supplied via the environment variable and not store it at all because it is no part of the URL The benefit of using this approach is that the password is only visible in plaintext to the git process (and of course if you have the knowledge how to get the environment variables of another process, but at least it is not stored permanently) Another even more secure way would be to have a logic to decrypt the password in the script and store the PW encrypted in GIT_PASSWORD, so the only way how to get the PW would be to read the memory of the git process and extract the PW from there somehow. |
| Comment by AlSt [ 30/Apr/21 11:38 AM ] |
| One addition: I did not test these. The stack overflow entry here https://stackoverflow.com/questions/8536732/can-i-hold-git-credentials-in-environment-variables claims that the method I described also will store the PW in the config file. So this is something to test. |
| Comment by AlSt [ 30/Apr/21 11:42 AM ] |
| I just tested this and it works as I described. The user is indeed stored in the config, but the password is not. |