Page MenuHomePhabricator
Create Task
Maniphest T4347

Some Git error messages include the full URI, including credentials
Closed, ResolvedPublic
Actions

Description

When you git fetch or git clone a remote repository, some of the error messages include the remote URI. For authenticated HTTP/HTTPS repositories, this URI has credentials.

We should probably make an effort to censor these credentials. I don't think we need to be hugely comprehensive about it, but we could try to clobber credentials out of URIs in the fetch/pull remote ops in git/hg, at least.

(We already do a lot of work to keep them from appearing in commands.)

Revisions and Commits

rPHU libphutil
D8546rPHU44faddd048df Censor URI credentials in CommandException summaries

Event Timeline

epriestley created this task.Jan 27 2014, 5:17 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Badge Awarded.
epriestley added a subscriber: epriestley.
epriestley added a comment.Jan 27 2014, 6:33 PM

For Badge Awarded, a reasonable approach for this would be:

  • Write a function (say, phutil_mask_string_credentials()) which accepts a string, finds any URLs in the string, replaces credentials with "xxx" (you can use PhutilURI to do this), and then emits the modified string. This can go in libphutil/.
  • Write some unit tests for it.
  • Send a diff for that.
  • Then, find the callsites to git fetch and similar in PhabricatorRepositoryPullEngine, and pass the outputs (stdout/stderr) through the new function.
kofalt added a subscriber: kofalt.Feb 18 2014, 7:03 AM
epriestley edited this Maniphest Task.Mar 15 2014, 3:53 PM
epriestley edited this Maniphest Task.Mar 15 2014, 6:27 PM
epriestley closed this task as Resolved.Mar 15 2014, 6:27 PM

Closed by commit rPHU44faddd048df.

Phabricator · Built by Phacility