* [PATCH] urlmatch: create fetch.credentialsInUrl config @ 2022-05-23 18:04 Derrick Stolee via GitGitGadget 2022-05-23 19:06 ` Junio C Hamano ` (3 more replies) 0 siblings, 4 replies; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-05-23 18:04 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the .git/config file, this is a very insecure way of storing these credentials. Credential managers are a more secure way of storing this information. System administrators might want to prevent this kind of use by users on their machines. Create a new "fetch.credentialsInUrl" config option and teach Git to warn or die when seeing a URL with this kind of information. The warning anonymizes the sensitive information of the URL to be clear about the issue. This change currently defaults the behavior to "ignore" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the explicit username:password URLs used in t5550-http-fetch-dumb.s and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- urlmatch: create fetch.credentialsInUrl config This is a modified version of the patch I submitted a while ago [1]. Based on the feedback, changing the behavior to fail by default was not a good approach. Further, the idea to stop storing the credentials in config and redirect them to a credential manager was already considered by Peff [2] but not merged. This patch does what should be the simplest thing we can do: create a config option that will cause the user to get a warning or a failure, depending on its value. The default is to ignore the setting, identical to the current behavior. We can talk about changing this default to "warn" in the future, but it would be safest to release with ignore as the default until we are sure that we are not going to start warning on false positives. This patch would be sufficient for the interested internal parties that want to prevent users from storing credentials this way. System administrators can modify system-level Git config into "die" mode to prevent this behavior. [1] https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com Reject passwords in URLs (April 2021). [2] https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/ Re: Git ransom campaign incident report - May 2019 Thanks, -Stolee Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1237%2Fderrickstolee%2Fcreds-in-url-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1237/derrickstolee/creds-in-url-v1 Pull-Request: https://github.com/gitgitgadget/git/pull/1237 Documentation/config/fetch.txt | 13 ++++++++++ t/t5601-clone.sh | 7 ++++++ urlmatch.c | 43 ++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index cd65d236b43..6aa2a0bec19 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,3 +96,16 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `protocol://<user>:<password>@domain/path`. Using such URLs is not + recommended as it exposes the password in multiple ways. The + `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `ignore` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 4a61f2c901e..34be520b783 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -71,6 +71,13 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && + grep "warning: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err && + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && + grep "fatal: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' test_create_repo r0 && diff --git a/urlmatch.c b/urlmatch.c index b615adc923a..6b91fb648a7 100644 --- a/urlmatch.c +++ b/urlmatch.c @@ -1,5 +1,6 @@ #include "cache.h" #include "urlmatch.h" +#include "config.h" #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" #define URL_DIGIT "0123456789" @@ -106,6 +107,46 @@ static int match_host(const struct url_info *url_info, return (!url_len && !pat_len); } +static void detected_credentials_in_url(const char *url, size_t scheme_len) +{ + char *value = NULL; + const char *at_ptr; + const char *colon_ptr; + struct strbuf anonymized = STRBUF_INIT; + + /* "ignore" is the default behavior. */ + if (git_config_get_string("fetch.credentialsinurl", &value) || + !strcasecmp("ignore", value)) + goto cleanup; + + at_ptr = strchr(url, '@'); + colon_ptr = strchr(url + scheme_len + 3, ':'); + + if (!colon_ptr) + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, + url, (uintmax_t) scheme_len); + + /* Include everything including the colon. */ + colon_ptr++; + strbuf_add(&anonymized, url, colon_ptr - url); + + while (colon_ptr < at_ptr) { + strbuf_addch(&anonymized, '*'); + colon_ptr++; + } + + strbuf_addstr(&anonymized, at_ptr); + + if (!strcasecmp("warn", value)) + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); + if (!strcasecmp("die", value)) + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); + +cleanup: + free(value); + strbuf_release(&anonymized); +} + static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) { /* @@ -144,6 +185,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al */ size_t url_len = strlen(url); + const char *orig_url = url; struct strbuf norm; size_t spanned; size_t scheme_len, user_off=0, user_len=0, passwd_off=0, passwd_len=0; @@ -191,6 +233,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al } colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); if (colon_ptr) { + detected_credentials_in_url(orig_url, scheme_len); passwd_off = (colon_ptr + 1) - norm.buf; passwd_len = norm.len - passwd_off; user_len = (passwd_off - 1) - (scheme_len + 3); base-commit: f9b95943b68b6b8ca5a6072f50a08411c6449b55 -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget @ 2022-05-23 19:06 ` Junio C Hamano 2022-05-23 20:31 ` Derrick Stolee ` (2 more replies) 2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason ` (2 subsequent siblings) 3 siblings, 3 replies; 40+ messages in thread From: Junio C Hamano @ 2022-05-23 19:06 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > Create a new "fetch.credentialsInUrl" config option and teach Git to > warn or die when seeing a URL with this kind of information. The warning > anonymizes the sensitive information of the URL to be clear about the > issue. The issue sounds vaguely familiar---I must have heard something similar on this list not in too distant past. > This change currently defaults the behavior to "ignore" which does > nothing with these URLs. We can consider changing this behavior to > "warn" by default if we wish. At that time, we may want to add some > advice about setting fetch.credentialsInUrl=ignore for users who still > want to follow this pattern (and not receive the warning). It sounds more like "pass" than "ignore", the latter of which can be read as "strip" instead of "pass it as-is". The name "warn", and its stronger form "die", both sound right. > ... Running the test suite succeeds except for the > explicit username:password URLs used in t5550-http-fetch-dumb.s and > t5541-http-push-smart.sh. This means that all other tested URLs did not > trigger this logic. We are not testing the form we are not encouraging, in other words ;-). > urlmatch: create fetch.credentialsInUrl config > > This is a modified version of the patch I submitted a while ago [1]. > > Based on the feedback, changing the behavior to fail by default was not > a good approach. Further, the idea to stop storing the credentials in > config and redirect them to a credential manager was already considered > by Peff [2] but not merged. I just peeked [2] and I am not sure why we didn't X-<. The solution there covers "git clone" that records the origin URL but this one would cover URL regardless of where the URL came from---as long as an insecure URL is used, we warn or die, and it is even against the URL that came from the command line. In a sense, I think these are more or less orthogonal. [2]'s "clone can strip the user:pass from the URL it writes to the config, while passing user:pass to the credential API", especially if it is extended to "git remote add", would stop two common avenues that such an insecure URL can go to the configuration file. The approach taken by this patch would complement it to a degree, as long as the user cares. I am not sure if there is a legitimate case where the user does not care, though. For a script, it may be handy if a URL can contain an ever-changing user:pass pair, where the pass is generated by something like s/key, for example, and for such a command line that knowingly have user:pass pair, having to set the configuration to "ignore" may be cumbersome. > +fetch.credentialsInUrl:: > + A URL can contain plaintext credentials in the form > + `protocol://<user>:<password>@domain/path`. Using such URLs is not > + recommended as it exposes the password in multiple ways. The > + `fetch.credentialsInUrl` option provides instruction for how Git > + should react to seeing such a URL, with these values: > ++ > +* `ignore` (default): Git will proceed with its activity without warning. > +* `warn`: Git will write a warning message to `stderr` when parsing a URL > + with a plaintext credential. > +* `die`: Git will write a failure message to `stderr` when parsing a URL > + with a plaintext credential. Sounds sensible (modulo I would suggest "ignore" -> "pass"). > + grep "warning: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err && Makes sure that the password part is redacted, which is good. > + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && > + grep "fatal: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err Ditto. > diff --git a/urlmatch.c b/urlmatch.c > index b615adc923a..6b91fb648a7 100644 > --- a/urlmatch.c > +++ b/urlmatch.c > @@ -1,5 +1,6 @@ > #include "cache.h" > #include "urlmatch.h" > +#include "config.h" Yuck. Having to do config lookups at this deep a level in the callchain does not look too attractive to me. I am wondering if we can make it the responsibility of the callers to figure out and pass down the settings of the new configuration variable. Offhand I do not think of an easy and clean way to do so (well, "easy" is easy---add one to the list of globals in environment.c; "clean" is the harder part). > #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" > #define URL_DIGIT "0123456789" > @@ -106,6 +107,46 @@ static int match_host(const struct url_info *url_info, > return (!url_len && !pat_len); > } > > +static void detected_credentials_in_url(const char *url, size_t scheme_len) > +{ > + char *value = NULL; > + const char *at_ptr; > + const char *colon_ptr; > + struct strbuf anonymized = STRBUF_INIT; > + > + /* "ignore" is the default behavior. */ > + if (git_config_get_string("fetch.credentialsinurl", &value) || > + !strcasecmp("ignore", value)) > + goto cleanup; > + > + at_ptr = strchr(url, '@'); > + colon_ptr = strchr(url + scheme_len + 3, ':'); We expect that at_ptr would come after colon_ptr (i.e. in "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the while() loop below assumes that for redacting. Are we better off if we assert it here, or has the calling parser already rejected such cases? > + if (!colon_ptr) > + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, > + url, (uintmax_t) scheme_len); > + > + /* Include everything including the colon. */ > + colon_ptr++; > + strbuf_add(&anonymized, url, colon_ptr - url); > + > + while (colon_ptr < at_ptr) { > + strbuf_addch(&anonymized, '*'); > + colon_ptr++; > + } > + > + strbuf_addstr(&anonymized, at_ptr); > + > + if (!strcasecmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + if (!strcasecmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + > +cleanup: > + free(value); > + strbuf_release(&anonymized); > +} > + So far, looking good. > @@ -144,6 +185,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al > */ > > size_t url_len = strlen(url); > + const char *orig_url = url; > struct strbuf norm; > size_t spanned; > size_t scheme_len, user_off=0, user_len=0, passwd_off=0, passwd_len=0; > @@ -191,6 +233,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al > } > colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); > if (colon_ptr) { > + detected_credentials_in_url(orig_url, scheme_len); > passwd_off = (colon_ptr + 1) - norm.buf; > passwd_len = norm.len - passwd_off; > user_len = (passwd_off - 1) - (scheme_len + 3); > > base-commit: f9b95943b68b6b8ca5a6072f50a08411c6449b55 Thanks. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 19:06 ` Junio C Hamano @ 2022-05-23 20:31 ` Derrick Stolee 2022-05-23 21:14 ` Junio C Hamano 2022-05-24 11:46 ` Johannes Schindelin 2022-05-23 20:37 ` Junio C Hamano 2022-05-24 11:51 ` Johannes Schindelin 2 siblings, 2 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-23 20:31 UTC (permalink / raw) To: Junio C Hamano, Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 5/23/2022 3:06 PM, Junio C Hamano wrote: > "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > >> Create a new "fetch.credentialsInUrl" config option and teach Git to >> warn or die when seeing a URL with this kind of information. The warning >> anonymizes the sensitive information of the URL to be clear about the >> issue. > > The issue sounds vaguely familiar---I must have heard something > similar on this list not in too distant past. It certainly felt like not too distant, but [1] was over a year ago! >> This change currently defaults the behavior to "ignore" which does >> nothing with these URLs. We can consider changing this behavior to >> "warn" by default if we wish. At that time, we may want to add some >> advice about setting fetch.credentialsInUrl=ignore for users who still >> want to follow this pattern (and not receive the warning). > > It sounds more like "pass" than "ignore", the latter of which can be > read as "strip" instead of "pass it as-is". Perhaps "allow" would be more clear than all of these options? > The name "warn", and its stronger form "die", both sound right. > >> ... Running the test suite succeeds except for the >> explicit username:password URLs used in t5550-http-fetch-dumb.s and >> t5541-http-push-smart.sh. This means that all other tested URLs did not >> trigger this logic. > > We are not testing the form we are not encouraging, in other words ;-). Right, but in addition we are hopefully testing most of the forms we _do_ encourage, and without triggering these warnings. >> urlmatch: create fetch.credentialsInUrl config >> >> This is a modified version of the patch I submitted a while ago [1]. >> >> Based on the feedback, changing the behavior to fail by default was not >> a good approach. Further, the idea to stop storing the credentials in >> config and redirect them to a credential manager was already considered >> by Peff [2] but not merged. > > I just peeked [2] and I am not sure why we didn't X-<. The solution > there covers "git clone" that records the origin URL but this one > would cover URL regardless of where the URL came from---as long as > an insecure URL is used, we warn or die, and it is even against the > URL that came from the command line. The only reason I can guess is that credential helpers were not as commonplace then. Perhaps now is the right time to revisit it with the knowledge that more users have credential helpers for HTTPS URLs (or use SSH with registered public keys). > In a sense, I think these are more or less orthogonal. [2]'s "clone > can strip the user:pass from the URL it writes to the config, while > passing user:pass to the credential API", especially if it is > extended to "git remote add", would stop two common avenues that > such an insecure URL can go to the configuration file. The approach > taken by this patch would complement it to a degree, as long as the > user cares. I agree that these are mostly orthogonal. I think that the parsing logic in urlmatch.c would be involved in the > I am not sure if there is a legitimate case where the user does not > care, though. For a script, it may be handy if a URL can contain an > ever-changing user:pass pair, where the pass is generated by > something like s/key, for example, and for such a command line that > knowingly have user:pass pair, having to set the configuration to > "ignore" may be cumbersome. Would it make sense to check isatty(2) if we make "warn" the default? We could avoid breaking scripts and third-party tools that way. >> diff --git a/urlmatch.c b/urlmatch.c >> index b615adc923a..6b91fb648a7 100644 >> --- a/urlmatch.c >> +++ b/urlmatch.c >> @@ -1,5 +1,6 @@ >> #include "cache.h" >> #include "urlmatch.h" >> +#include "config.h" > > Yuck. Having to do config lookups at this deep a level in the > callchain does not look too attractive to me. > > I am wondering if we can make it the responsibility of the callers > to figure out and pass down the settings of the new configuration > variable. > > Offhand I do not think of an easy and clean way to do so (well, > "easy" is easy---add one to the list of globals in environment.c; > "clean" is the harder part). Even with something like a global in environment.c, what would initialize it? Would we make it be part of the default Git config so it is initialized at the start of every builtin? Or, would we initialize the config the first time we parse a URL. With that in mind, it might be good to have a static enum that stores the parsed config value and uses that immediately instead of calling git_config_get_string() repeatedly. Are there places where we might inspect a huge number of URLs? >> #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" >> #define URL_DIGIT "0123456789" >> @@ -106,6 +107,46 @@ static int match_host(const struct url_info *url_info, >> return (!url_len && !pat_len); >> } >> >> +static void detected_credentials_in_url(const char *url, size_t scheme_len) >> +{ >> + char *value = NULL; >> + const char *at_ptr; >> + const char *colon_ptr; >> + struct strbuf anonymized = STRBUF_INIT; >> + >> + /* "ignore" is the default behavior. */ >> + if (git_config_get_string("fetch.credentialsinurl", &value) || >> + !strcasecmp("ignore", value)) >> + goto cleanup; >> + >> + at_ptr = strchr(url, '@'); >> + colon_ptr = strchr(url + scheme_len + 3, ':'); > > We expect that at_ptr would come after colon_ptr (i.e. in > "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the > while() loop below assumes that for redacting. Are we better off if > we assert it here, or has the calling parser already rejected such > cases? This computation of at_ptr matches the one in url_normalize_1(), so it at least agrees about where the "username[:password]" section could be. That does mean that the password cannot contain an "@" symbol (unless it is special-cased somehow?). Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 20:31 ` Derrick Stolee @ 2022-05-23 21:14 ` Junio C Hamano 2022-05-24 11:46 ` Johannes Schindelin 1 sibling, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-05-23 21:14 UTC (permalink / raw) To: Derrick Stolee Cc: Derrick Stolee via GitGitGadget, git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup Derrick Stolee <derrickstolee@github.com> writes: > This computation of at_ptr matches the one in url_normalize_1(), > so it at least agrees about where the "username[:password]" section > could be. OK. > That does mean that the password cannot contain an "@" > symbol (unless it is special-cased somehow?). I wasn't worried about what is valid but more about what attackers can fool users to throw at "git clone" and make our code misbehave (which can include garbage that would not parse correctly). I think the while() loop will just become a no-op, anonymized buffer is left empty and colon_ptr does not get updated at all. Then strbuf_addstr() after the loop will put everything from '@' to the strbuf to be showed, and none of these should lead to any overrun or exploit. Thanks. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 20:31 ` Derrick Stolee 2022-05-23 21:14 ` Junio C Hamano @ 2022-05-24 11:46 ` Johannes Schindelin 2022-05-24 20:14 ` Derrick Stolee 1 sibling, 1 reply; 40+ messages in thread From: Johannes Schindelin @ 2022-05-24 11:46 UTC (permalink / raw) To: Derrick Stolee Cc: Junio C Hamano, Derrick Stolee via GitGitGadget, git, peff, me, avarab, christian.couder, jrnieder, brian m. carlson, Robert Coup Hi Stolee, On Mon, 23 May 2022, Derrick Stolee wrote: > On 5/23/2022 3:06 PM, Junio C Hamano wrote: > > "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > > > >> +static void detected_credentials_in_url(const char *url, size_t scheme_len) > >> +{ > >> + char *value = NULL; > >> + const char *at_ptr; > >> + const char *colon_ptr; > >> + struct strbuf anonymized = STRBUF_INIT; > >> + > >> + /* "ignore" is the default behavior. */ > >> + if (git_config_get_string("fetch.credentialsinurl", &value) || > >> + !strcasecmp("ignore", value)) > >> + goto cleanup; > >> + > >> + at_ptr = strchr(url, '@'); > >> + colon_ptr = strchr(url + scheme_len + 3, ':'); > > > > We expect that at_ptr would come after colon_ptr (i.e. in > > "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the > > while() loop below assumes that for redacting. Careful here. https://me@there.com:9999/ _is_ a valid URL, too. > > Are we better off if we assert it here, or has the calling parser > > already rejected such cases? > > This computation of at_ptr matches the one in url_normalize_1(), > so it at least agrees about where the "username[:password]" section > could be. That does mean that the password cannot contain an "@" > symbol (unless it is special-cased somehow?). The password cannot contain a literal `@`, and neither can the user name. They have to be URL-encoded, via `%40`. Ciao, Dscho ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-24 11:46 ` Johannes Schindelin @ 2022-05-24 20:14 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-24 20:14 UTC (permalink / raw) To: Johannes Schindelin Cc: Junio C Hamano, Derrick Stolee via GitGitGadget, git, peff, me, avarab, christian.couder, jrnieder, brian m. carlson, Robert Coup On 5/24/2022 7:46 AM, Johannes Schindelin wrote: > Hi Stolee, > > On Mon, 23 May 2022, Derrick Stolee wrote: > >> On 5/23/2022 3:06 PM, Junio C Hamano wrote: >>> "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: >>> >>>> +static void detected_credentials_in_url(const char *url, size_t scheme_len) >>>> +{ >>>> + char *value = NULL; >>>> + const char *at_ptr; >>>> + const char *colon_ptr; >>>> + struct strbuf anonymized = STRBUF_INIT; >>>> + >>>> + /* "ignore" is the default behavior. */ >>>> + if (git_config_get_string("fetch.credentialsinurl", &value) || >>>> + !strcasecmp("ignore", value)) >>>> + goto cleanup; >>>> + >>>> + at_ptr = strchr(url, '@'); >>>> + colon_ptr = strchr(url + scheme_len + 3, ':'); >>> >>> We expect that at_ptr would come after colon_ptr (i.e. in >>> "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the >>> while() loop below assumes that for redacting. > > Careful here. https://me@there.com:9999/ _is_ a valid URL, too. Thanks for checking. The method should not be called unless the password region was already detected. I'll add a BUG() statement and a comment to prevent future callers from providing incorrect URLs. I can also add a test to show that this warning is not output when the only colon is for the port number. >>> Are we better off if we assert it here, or has the calling parser >>> already rejected such cases? >> >> This computation of at_ptr matches the one in url_normalize_1(), >> so it at least agrees about where the "username[:password]" section >> could be. That does mean that the password cannot contain an "@" >> symbol (unless it is special-cased somehow?). > > The password cannot contain a literal `@`, and neither can the user name. > They have to be URL-encoded, via `%40`. Thanks! -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 19:06 ` Junio C Hamano 2022-05-23 20:31 ` Derrick Stolee @ 2022-05-23 20:37 ` Junio C Hamano 2022-05-24 11:51 ` Johannes Schindelin 2 siblings, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-05-23 20:37 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee Junio C Hamano <gitster@pobox.com> writes: > It sounds more like "pass" than "ignore", the latter of which can be > read as "strip" instead of "pass it as-is". Or "allow" (which I prefer over "pass"). > The name "warn", and its stronger form "die", both sound right. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 19:06 ` Junio C Hamano 2022-05-23 20:31 ` Derrick Stolee 2022-05-23 20:37 ` Junio C Hamano @ 2022-05-24 11:51 ` Johannes Schindelin 2 siblings, 0 replies; 40+ messages in thread From: Johannes Schindelin @ 2022-05-24 11:51 UTC (permalink / raw) To: Junio C Hamano Cc: Derrick Stolee via GitGitGadget, git, peff, me, avarab, christian.couder, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee Hi Junio, On Mon, 23 May 2022, Junio C Hamano wrote: > "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > > > urlmatch: create fetch.credentialsInUrl config > > > > This is a modified version of the patch I submitted a while ago [1]. > > > > Based on the feedback, changing the behavior to fail by default was not > > a good approach. Further, the idea to stop storing the credentials in > > config and redirect them to a credential manager was already considered > > by Peff [2] but not merged. > > I just peeked [2] and I am not sure why we didn't X-<. The solution > there covers "git clone" that records the origin URL but this one > would cover URL regardless of where the URL came from---as long as > an insecure URL is used, we warn or die, and it is even against the > URL that came from the command line. > > In a sense, I think these are more or less orthogonal. [2]'s "clone > can strip the user:pass from the URL it writes to the config, while > passing user:pass to the credential API", especially if it is > extended to "git remote add", would stop two common avenues that > such an insecure URL can go to the configuration file. The approach > taken by this patch would complement it to a degree, as long as the > user cares. > > I am not sure if there is a legitimate case where the user does not > care, though. For a script, it may be handy if a URL can contain an > ever-changing user:pass pair, where the pass is generated by > something like s/key, for example, and for such a command line that > knowingly have user:pass pair, having to set the configuration to > "ignore" may be cumbersome. To provide one data point: a few of Git for Windows' automated builds use the `https://user@pass:host/` form to clone and push, using a Personal Access Token as password (that is of course marked as a secret, read: it will get redacted out of the logs). So yes, there are scripts that rely on Git's current behavior to work. If Git changes behavior, I will have to adjust those build definitions. In this instance, I believe that the benefit of safeguarding Git's users outweighs the burden of having to adjust such scripts/definitions. Ciao, Dscho ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2022-05-23 19:06 ` Junio C Hamano @ 2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason 2022-05-24 13:50 ` Derrick Stolee 2022-05-24 11:42 ` Johannes Schindelin 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget 3 siblings, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-05-24 8:18 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee On Mon, May 23 2022, Derrick Stolee via GitGitGadget wrote: > +fetch.credentialsInUrl:: > + A URL can contain plaintext credentials in the form > + `protocol://<user>:<password>@domain/path`. Using such URLs is not > + recommended as it exposes the password in multiple ways. The > + `fetch.credentialsInUrl` option provides instruction for how Git > + should react to seeing such a URL, with these values: Re the previous discussion about this (in the v1 patch / https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com/): In what ways? That's rhetorical, the point being: Let's adjust this documentation to discuss exactly why this is thought to be bad, what we're mitigating for the user etc., are there situations where running git like this is perfectly fine & not thought to be an issue? E.g. no password manager and you trust your FS permission? Let's cover those cases too. > ++ > +* `ignore` (default): Git will proceed with its activity without warning. > +* `warn`: Git will write a warning message to `stderr` when parsing a URL > + with a plaintext credential. > +* `die`: Git will write a failure message to `stderr` when parsing a URL > + with a plaintext credential. You're implementing this with strcasecmp, so we also support DIE, DiE etc. Let's not do that and use strcmp() instead. > diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh > index 4a61f2c901e..34be520b783 100755 > --- a/t/t5601-clone.sh > +++ b/t/t5601-clone.sh > @@ -71,6 +71,13 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' > > ' > > +test_expect_success 'clone warns or fails when using username:password' ' > + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && > + grep "warning: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err && > + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && > + grep "fatal: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err > +' > + > test_expect_success 'clone from hooks' ' > > test_create_repo r0 && > diff --git a/urlmatch.c b/urlmatch.c > index b615adc923a..6b91fb648a7 100644 > --- a/urlmatch.c > +++ b/urlmatch.c > @@ -1,5 +1,6 @@ > #include "cache.h" > #include "urlmatch.h" > +#include "config.h" > > #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" > #define URL_DIGIT "0123456789" > @@ -106,6 +107,46 @@ static int match_host(const struct url_info *url_info, > return (!url_len && !pat_len); > } > > +static void detected_credentials_in_url(const char *url, size_t scheme_len) > +{ Just generally: This is only > + char *value = NULL; This init to NULL should be removedd, as we.... > + const char *at_ptr; > + const char *colon_ptr; > + struct strbuf anonymized = STRBUF_INIT; nit: Just call this "sb"? The's at least one line below over 79 characters that's within the bounds with a shorter variable name, and in this case it's obvious what we're doing here... > + > + /* "ignore" is the default behavior. */ > + if (git_config_get_string("fetch.credentialsinurl", &value) || ...initialize it here, and if we didn't the compiler would have a chance to spot that if we were getting it wrong. > + !strcasecmp("ignore", value)) > + goto cleanup; > + > + at_ptr = strchr(url, '@'); > + colon_ptr = strchr(url + scheme_len + 3, ':'); > + > + if (!colon_ptr) > + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, > + url, (uintmax_t) scheme_len); > + > + /* Include everything including the colon. */ > + colon_ptr++; > + strbuf_add(&anonymized, url, colon_ptr - url); > + > + while (colon_ptr < at_ptr) { > + strbuf_addch(&anonymized, '*'); > + colon_ptr++; > + } Could we share code with 88e9b1e3fcb (fetch-pack: redact packfile urls in traces, 2021-11-10), or for consistency note this as <redacted> instead of stripping it out, as we do for that related URL-part redaction? > + strbuf_addstr(&anonymized, at_ptr); Maybe not worth it, but I wondered if we couldn't just use curl for this, turns out it has an API for it: https://curl.se/libcurl/c/libcurl-url.html But it's too new for us to rely on unconditionally, but we could add that to git-curl-compat.h and ifdef it, then we'll eventually drop this custom code for ryling on the well-tested library. I think doing that would be worth it, to show future authors that curl can do this, so maybe we can start relying on that eventually... > + if (!strcasecmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + if (!strcasecmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + > +cleanup: > + free(value); I think you can also just use git_config_get_string_tmp() here and avoid the alloc/free. That's safe as long as you're not calling other config API in-between, which you're not. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason @ 2022-05-24 13:50 ` Derrick Stolee 2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason 0 siblings, 1 reply; 40+ messages in thread From: Derrick Stolee @ 2022-05-24 13:50 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 5/24/2022 4:18 AM, Ævar Arnfjörð Bjarmason wrote: > > On Mon, May 23 2022, Derrick Stolee via GitGitGadget wrote: > >> +fetch.credentialsInUrl:: >> + A URL can contain plaintext credentials in the form >> + `protocol://<user>:<password>@domain/path`. Using such URLs is not >> + recommended as it exposes the password in multiple ways. The >> + `fetch.credentialsInUrl` option provides instruction for how Git >> + should react to seeing such a URL, with these values: > > Re the previous discussion about this (in the v1 patch / > https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com/): > In what ways? > > That's rhetorical, the point being: Let's adjust this documentation to > discuss exactly why this is thought to be bad, what we're mitigating for > the user etc., are there situations where running git like this is > perfectly fine & not thought to be an issue? E.g. no password manager > and you trust your FS permission? Let's cover those cases too. This documentation is not the proper place to tell the user "do this and you can trust your plaintext creds in the filesystem" because that is asking for problems. I'd rather leave a vague warning and let users go against the recommended behavior only after they have done sufficient work to be confident in taking on that risk. >> ++ >> +* `ignore` (default): Git will proceed with its activity without warning. >> +* `warn`: Git will write a warning message to `stderr` when parsing a URL >> + with a plaintext credential. >> +* `die`: Git will write a failure message to `stderr` when parsing a URL >> + with a plaintext credential. > > You're implementing this with strcasecmp, so we also support DIE, DiE > etc. Let's not do that and use strcmp() instead. Sure. >> +static void detected_credentials_in_url(const char *url, size_t scheme_len) >> +{ > > Just generally: This is only Did you intend to say more here? >> + char *value = NULL; > > This init to NULL should be removedd, as we.... > >> + const char *at_ptr; >> + const char *colon_ptr; >> + struct strbuf anonymized = STRBUF_INIT; > > nit: Just call this "sb"? The's at least one line below over 79 > characters that's within the bounds with a shorter variable name, and in > this case it's obvious what we're doing here... I will not change this name to be less descriptive. >> + >> + /* "ignore" is the default behavior. */ >> + if (git_config_get_string("fetch.credentialsinurl", &value) || > > ...initialize it here, and if we didn't the compiler would have a chance > to spot that if we were getting it wrong. We do not necessarily initialize it here. The compiler doesn't notice it and the free(value) below segfaults. >> + !strcasecmp("ignore", value)) >> + goto cleanup; >> + >> + at_ptr = strchr(url, '@'); >> + colon_ptr = strchr(url + scheme_len + 3, ':'); >> + >> + if (!colon_ptr) >> + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, >> + url, (uintmax_t) scheme_len); >> + >> + /* Include everything including the colon. */ >> + colon_ptr++; >> + strbuf_add(&anonymized, url, colon_ptr - url); >> + >> + while (colon_ptr < at_ptr) { >> + strbuf_addch(&anonymized, '*'); >> + colon_ptr++; >> + } > > Could we share code with 88e9b1e3fcb (fetch-pack: redact packfile urls > in traces, 2021-11-10), or for consistency note this as <redacted> > instead of stripping it out, as we do for that related URL-part > redaction? I'm happy to replace the asterisks with <redacted>. Otherwise, I don't see anything we can do to share across these methods. Specifically, the test in that commit seems to indicate that the redacted portion is only the packfile name (the $HTTPD_URL is not filtered). >> + strbuf_addstr(&anonymized, at_ptr); > > Maybe not worth it, but I wondered if we couldn't just use curl for > this, turns out it has an API for it: > https://curl.se/libcurl/c/libcurl-url.html > > But it's too new for us to rely on unconditionally, but we could add > that to git-curl-compat.h and ifdef it, then we'll eventually drop this > custom code for ryling on the well-tested library. > > I think doing that would be worth it, to show future authors that curl > can do this, so maybe we can start relying on that eventually... Since we can't rely on it, I'll leave that to another (you, perhaps?) to do that ifdef work. I don't think it's worth it right now. >> + if (!strcasecmp("warn", value)) >> + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); >> + if (!strcasecmp("die", value)) >> + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); >> + >> +cleanup: >> + free(value); > > I think you can also just use git_config_get_string_tmp() here and avoid > the alloc/free. That's safe as long as you're not calling other config > API in-between, which you're not. OK. And that also avoids the need for initialization you mentioned. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-24 13:50 ` Derrick Stolee @ 2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason 2022-05-25 14:03 ` Derrick Stolee 0 siblings, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-05-24 21:01 UTC (permalink / raw) To: Derrick Stolee Cc: Derrick Stolee via GitGitGadget, git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On Tue, May 24 2022, Derrick Stolee wrote: > On 5/24/2022 4:18 AM, Ævar Arnfjörð Bjarmason wrote: >> >> On Mon, May 23 2022, Derrick Stolee via GitGitGadget wrote: >> >>> +fetch.credentialsInUrl:: >>> + A URL can contain plaintext credentials in the form >>> + `protocol://<user>:<password>@domain/path`. Using such URLs is not >>> + recommended as it exposes the password in multiple ways. The >>> + `fetch.credentialsInUrl` option provides instruction for how Git >>> + should react to seeing such a URL, with these values: >> >> Re the previous discussion about this (in the v1 patch / >> https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com/): >> In what ways? >> >> That's rhetorical, the point being: Let's adjust this documentation to >> discuss exactly why this is thought to be bad, what we're mitigating for >> the user etc., are there situations where running git like this is >> perfectly fine & not thought to be an issue? E.g. no password manager >> and you trust your FS permission? Let's cover those cases too. > > This documentation is not the proper place to tell the user "do this > and you can trust your plaintext creds in the filesystem" because that > is asking for problems. I'd rather leave a vague warning and let users > go against the recommended behavior only after they have done sufficient > work to be confident in taking on that risk. I don't mean that we need to cover the full divergent views on different approaches to local password management, but not leave the user hanging with the rather scary "exposes the password in multiple ways". I.e. if I read that for any software whose implementation I wasn't very familiar with I'd be very afraid, and in git's case for no reason. Does in mean that git has some scary git-specific feature that would expose it. perhaps there's a local log that's unsecured where attempted URLs are logged, or perhaps we send the raw requested URL to the server so it can suggest alternatives for us. We do neither, but even a generally knowledgeable user won't know that about git in particular. Whereas what I think you actually mean and are targeting here is better explained by: Git is careful to avoid exposing passwords in URLs on its own, e.g. they won't be logged in trace2 logs. This setting is intended for those who'd like to discourage (warn) or enforce (die) the use of the password helper infrastructure over hardcoded passwords. All of which I *think* is correct, but maybe I've missed something you know about, as that "in multiple ways" is doing a lot of work. I also wonder if this wouldn't be even more useful if we took some lessons from ssh's book. I.e. per "git config -l --show-origin" we know the original of all config. We could be even more useful (and more aggressive about warning about) cases where we have passwords in config files that we detect don't have restrictive permissions, as OpenSSH does with your private key. Ditto perhaps when the origin is "command line", as we do nothing to hide that from the process list on shared systems (and that would be racy whatever we did). >>> ++ >>> +* `ignore` (default): Git will proceed with its activity without warning. >>> +* `warn`: Git will write a warning message to `stderr` when parsing a URL >>> + with a plaintext credential. >>> +* `die`: Git will write a failure message to `stderr` when parsing a URL >>> + with a plaintext credential. >> >> You're implementing this with strcasecmp, so we also support DIE, DiE >> etc. Let's not do that and use strcmp() instead. > > Sure. > >>> +static void detected_credentials_in_url(const char *url, size_t scheme_len) >>> +{ >> >> Just generally: This is only > > Did you intend to say more here? Probably, but if I did I forgot about it, by now. Sorry. >>> + char *value = NULL; >> >> This init to NULL should be removedd, as we.... >> >>> + const char *at_ptr; >>> + const char *colon_ptr; >>> + struct strbuf anonymized = STRBUF_INIT; >> >> nit: Just call this "sb"? The's at least one line below over 79 >> characters that's within the bounds with a shorter variable name, and in >> this case it's obvious what we're doing here... > > I will not change this name to be less descriptive. Sure, just a suggestion. The other way is to just re-wrap that one line... :) In the end I don't care, "just a nit", but just as one datapoint from reading this code: I find this varibale name in particular to be the polar opposite of descriptive, we're explicitly not anonymizing the URL in this function, since we're not stripping the username part. Wouldn't descriptive be something more like uri_redacted_password or uri_no_password in this case? >>> + >>> + /* "ignore" is the default behavior. */ >>> + if (git_config_get_string("fetch.credentialsinurl", &value) || >> >> ...initialize it here, and if we didn't the compiler would have a chance >> to spot that if we were getting it wrong. > > We do not necessarily initialize it here. The compiler doesn't notice > it and the free(value) below segfaults. Yes, sorry I meant in combination with the *_tmp() variant below... >>> + !strcasecmp("ignore", value)) >>> + goto cleanup; >>> + >>> + at_ptr = strchr(url, '@'); >>> + colon_ptr = strchr(url + scheme_len + 3, ':'); >>> + >>> + if (!colon_ptr) >>> + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, >>> + url, (uintmax_t) scheme_len); >>> + >>> + /* Include everything including the colon. */ >>> + colon_ptr++; >>> + strbuf_add(&anonymized, url, colon_ptr - url); >>> + >>> + while (colon_ptr < at_ptr) { >>> + strbuf_addch(&anonymized, '*'); >>> + colon_ptr++; >>> + } >> >> Could we share code with 88e9b1e3fcb (fetch-pack: redact packfile urls >> in traces, 2021-11-10), or for consistency note this as <redacted> >> instead of stripping it out, as we do for that related URL-part >> redaction? > > I'm happy to replace the asterisks with <redacted>. Otherwise, I don't > see anything we can do to share across these methods. Yes, I just meant adding a "<redacted>". I briefly looked at whether it made sense to share the implementation, but I think probably not. I didn't think of this at the time but your implementation also leaks the length of the password, which <redacted> will solve in any case. Just for the implementation: It's slightly more wasteful, but in this case we don't care about performance, so perhaps a strbuf_splice() variant is easier here? I.e. add the full URL, find : and @, then strbuf_splice() it. It gets rid of much of the pointer juggling here & adding things incrementally. > Specifically, > the test in that commit seems to indicate that the redacted portion is > only the packfile name (the $HTTPD_URL is not filtered). By HTTPD_URL it means "the path", i.e. it's the equivalent of stripping CURLUPART_{PATH,QUERY,FRAGMENT}. So a hypothetical shared implementation would just be a matter of searching for the '/' once we're past the (optional) '@', but better to leave it for now. >>> + strbuf_addstr(&anonymized, at_ptr); >> >> Maybe not worth it, but I wondered if we couldn't just use curl for >> this, turns out it has an API for it: >> https://curl.se/libcurl/c/libcurl-url.html >> >> But it's too new for us to rely on unconditionally, but we could add >> that to git-curl-compat.h and ifdef it, then we'll eventually drop this >> custom code for ryling on the well-tested library. >> >> I think doing that would be worth it, to show future authors that curl >> can do this, so maybe we can start relying on that eventually... > > Since we can't rely on it, I'll leave that to another (you, perhaps?) > to do that ifdef work. I don't think it's worth it right now. Yeah, probably not. >>> + if (!strcasecmp("warn", value)) >>> + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); >>> + if (!strcasecmp("die", value)) >>> + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); >>> + >>> +cleanup: >>> + free(value); >> >> I think you can also just use git_config_get_string_tmp() here and avoid >> the alloc/free. That's safe as long as you're not calling other config >> API in-between, which you're not. > > OK. And that also avoids the need for initialization you mentioned. *nod* ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason @ 2022-05-25 14:03 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-25 14:03 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason Cc: Derrick Stolee via GitGitGadget, git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 5/24/2022 5:01 PM, Ævar Arnfjörð Bjarmason wrote: > > On Tue, May 24 2022, Derrick Stolee wrote: > >> On 5/24/2022 4:18 AM, Ævar Arnfjörð Bjarmason wrote: >>> >>> On Mon, May 23 2022, Derrick Stolee via GitGitGadget wrote: >>> >>>> +fetch.credentialsInUrl:: >>>> + A URL can contain plaintext credentials in the form >>>> + `protocol://<user>:<password>@domain/path`. Using such URLs is not >>>> + recommended as it exposes the password in multiple ways. The >>>> + `fetch.credentialsInUrl` option provides instruction for how Git >>>> + should react to seeing such a URL, with these values: >>> >>> Re the previous discussion about this (in the v1 patch / >>> https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com/): >>> In what ways? >>> >>> That's rhetorical, the point being: Let's adjust this documentation to >>> discuss exactly why this is thought to be bad, what we're mitigating for >>> the user etc., are there situations where running git like this is >>> perfectly fine & not thought to be an issue? E.g. no password manager >>> and you trust your FS permission? Let's cover those cases too. >> >> This documentation is not the proper place to tell the user "do this >> and you can trust your plaintext creds in the filesystem" because that >> is asking for problems. I'd rather leave a vague warning and let users >> go against the recommended behavior only after they have done sufficient >> work to be confident in taking on that risk. > > I don't mean that we need to cover the full divergent views on different > approaches to local password management, but not leave the user hanging > with the rather scary "exposes the password in multiple ways". > > I.e. if I read that for any software whose implementation I wasn't very > familiar with I'd be very afraid, and in git's case for no reason. > > Does in mean that git has some scary git-specific feature that would > expose it. perhaps there's a local log that's unsecured where attempted > URLs are logged, or perhaps we send the raw requested URL to the server > so it can suggest alternatives for us. We do neither, but even a > generally knowledgeable user won't know that about git in particular. > > Whereas what I think you actually mean and are targeting here is better > explained by: > > Git is careful to avoid exposing passwords in URLs on its own, > e.g. they won't be logged in trace2 logs. This setting is intended > for those who'd like to discourage (warn) or enforce (die) the use > of the password helper infrastructure over hardcoded passwords. > > All of which I *think* is correct, but maybe I've missed something you > know about, as that "in multiple ways" is doing a lot of work. > > I also wonder if this wouldn't be even more useful if we took some > lessons from ssh's book. I.e. per "git config -l --show-origin" we know > the original of all config. We could be even more useful (and more > aggressive about warning about) cases where we have passwords in config > files that we detect don't have restrictive permissions, as OpenSSH does > with your private key. > > Ditto perhaps when the origin is "command line", as we do nothing to > hide that from the process list on shared systems (and that would be > racy whatever we did). I tried to be careful about how "it" (being "Using such URLs") can expose the password includes things that are not under Git's responsibility (such as command-line histories and other system-level logs) but I can add a bit about how Git stores the plaintext password in the repository's config. >>>> + char *value = NULL; >>> >>> This init to NULL should be removedd, as we.... >>> >>>> + const char *at_ptr; >>>> + const char *colon_ptr; >>>> + struct strbuf anonymized = STRBUF_INIT; >>> >>> nit: Just call this "sb"? The's at least one line below over 79 >>> characters that's within the bounds with a shorter variable name, and in >>> this case it's obvious what we're doing here... >> >> I will not change this name to be less descriptive. > > Sure, just a suggestion. The other way is to just re-wrap that one > line... :) > > In the end I don't care, "just a nit", but just as one datapoint from > reading this code: I find this varibale name in particular to be the > polar opposite of descriptive, we're explicitly not anonymizing the URL > in this function, since we're not stripping the username part. > > Wouldn't descriptive be something more like uri_redacted_password or > uri_no_password in this case? How about "redacted"? > Just for the implementation: It's slightly more wasteful, but in this > case we don't care about performance, so perhaps a strbuf_splice() > variant is easier here? I.e. add the full URL, find : and @, then > strbuf_splice() it. It gets rid of much of the pointer juggling here & > adding things incrementally. TIL. strbuf_splice() will work perfectly. Thanks. -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2022-05-23 19:06 ` Junio C Hamano 2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason @ 2022-05-24 11:42 ` Johannes Schindelin 2022-05-24 20:16 ` Derrick Stolee 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget 3 siblings, 1 reply; 40+ messages in thread From: Johannes Schindelin @ 2022-05-24 11:42 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, avarab, christian.couder, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee Hi Stolee, On Mon, 23 May 2022, Derrick Stolee via GitGitGadget wrote: > diff --git a/urlmatch.c b/urlmatch.c > index b615adc923a..6b91fb648a7 100644 > --- a/urlmatch.c > +++ b/urlmatch.c > +static void detected_credentials_in_url(const char *url, size_t scheme_len) > +{ > + char *value = NULL; > + const char *at_ptr; > + const char *colon_ptr; > + struct strbuf anonymized = STRBUF_INIT; > + > + /* "ignore" is the default behavior. */ > + if (git_config_get_string("fetch.credentialsinurl", &value) || > + !strcasecmp("ignore", value)) > + goto cleanup; > + > + at_ptr = strchr(url, '@'); > + colon_ptr = strchr(url + scheme_len + 3, ':'); How certain are we that `url + scheme_len + 3` is still inside the NUL-separated `url`? > + > + if (!colon_ptr) > + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, > + url, (uintmax_t) scheme_len); Wouldn't this mean that `https://github.com/git/git` with a `scheme_len` of 5 would hit that `BUG()` code path? Thanks, Dscho > + > + /* Include everything including the colon. */ > + colon_ptr++; > + strbuf_add(&anonymized, url, colon_ptr - url); > + > + while (colon_ptr < at_ptr) { > + strbuf_addch(&anonymized, '*'); > + colon_ptr++; > + } > + > + strbuf_addstr(&anonymized, at_ptr); > + > + if (!strcasecmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + if (!strcasecmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), anonymized.buf); > + > +cleanup: > + free(value); > + strbuf_release(&anonymized); > +} > + > static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) > { > /* ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH] urlmatch: create fetch.credentialsInUrl config 2022-05-24 11:42 ` Johannes Schindelin @ 2022-05-24 20:16 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-24 20:16 UTC (permalink / raw) To: Johannes Schindelin, Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, avarab, christian.couder, jrnieder, brian m. carlson, Robert Coup On 5/24/2022 7:42 AM, Johannes Schindelin wrote: > Hi Stolee, > > On Mon, 23 May 2022, Derrick Stolee via GitGitGadget wrote: >> + at_ptr = strchr(url, '@'); >> + colon_ptr = strchr(url + scheme_len + 3, ':'); > > How certain are we that `url + scheme_len + 3` is still inside the > NUL-separated `url`? I'll update the method comment to make this clear. >> + >> + if (!colon_ptr) >> + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, >> + url, (uintmax_t) scheme_len); > > Wouldn't this mean that `https://github.com/git/git` with a `scheme_len` > of 5 would hit that `BUG()` code path? Yes. The method is about what to do once we've detected a URL with a "username:password@" combination after the scheme. I mentioned in a different reply, but I'll make this clear with a comment. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget ` (2 preceding siblings ...) 2022-05-24 11:42 ` Johannes Schindelin @ 2022-05-27 13:27 ` Derrick Stolee via GitGitGadget 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason ` (3 more replies) 3 siblings, 4 replies; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-05-27 13:27 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the .git/config file, this is a very insecure way of storing these credentials. Credential managers are a more secure way of storing this information. System administrators might want to prevent this kind of use by users on their machines. Create a new "fetch.credentialsInUrl" config option and teach Git to warn or die when seeing a URL with this kind of information. The warning anonymizes the sensitive information of the URL to be clear about the issue. This change currently defaults the behavior to "allow" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the explicit username:password URLs used in t5550-http-fetch-dumb.sh and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- urlmatch: create fetch.credentialsInUrl config This is a modified version of the patch I submitted a while ago [1]. Based on the feedback, changing the behavior to fail by default was not a good approach. Further, the idea to stop storing the credentials in config and redirect them to a credential manager was already considered by Peff [2] but not merged. This patch does what should be the simplest thing we can do: create a config option that will cause the user to get a warning or a failure, depending on its value. The default is to ignore the setting, identical to the current behavior. We can talk about changing this default to "warn" in the future, but it would be safest to release with ignore as the default until we are sure that we are not going to start warning on false positives. This patch would be sufficient for the interested internal parties that want to prevent users from storing credentials this way. System administrators can modify system-level Git config into "die" mode to prevent this behavior. [1] https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com Reject passwords in URLs (April 2021). [2] https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/ Re: Git ransom campaign incident report - May 2019 Updates in v2 ============= * Documentation is slightly expanded to include the fact that Git stores the given URL as plaintext in its config. * The new method has a new documentation comment that details the necessary preconditions. * "ignore" is now "allow" * Additional checks on colon_ptr are added. * Use strbuf_splice() instead of custom string-walking logic. * Use "" instead of asterisks. * Config value checks are no longer case sensitive. Thanks, -Stolee Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1237%2Fderrickstolee%2Fcreds-in-url-v2 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1237/derrickstolee/creds-in-url-v2 Pull-Request: https://github.com/gitgitgadget/git/pull/1237 Range-diff vs v1: 1: cc2befb3803 ! 1: 364f5c37c70 urlmatch: create fetch.credentialsInUrl config @@ Commit message anonymizes the sensitive information of the URL to be clear about the issue. - This change currently defaults the behavior to "ignore" which does + This change currently defaults the behavior to "allow" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still @@ Commit message As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the - explicit username:password URLs used in t5550-http-fetch-dumb.s and + explicit username:password URLs used in t5550-http-fetch-dumb.sh and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. @@ Documentation/config/fetch.txt: fetch.writeCommitGraph:: +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `protocol://<user>:<password>@domain/path`. Using such URLs is not -+ recommended as it exposes the password in multiple ways. The ++ recommended as it exposes the password in multiple ways, including ++ Git storing the URL as plaintext in the repository config. The + `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ -+* `ignore` (default): Git will proceed with its activity without warning. ++* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL @@ t/t5601-clone.sh: test_expect_success 'clone respects GIT_WORK_TREE' ' +test_expect_success 'clone warns or fails when using username:password' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && -+ grep "warning: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err && ++ grep "warning: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err && + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && -+ grep "fatal: URL '\''https://username:\*\*\*\*\*\*\*\*@localhost/'\'' uses plaintext credentials" err ++ grep "fatal: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err ++' ++ ++test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' ++ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && ++ ! grep "uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' @@ urlmatch.c: static int match_host(const struct url_info *url_info, return (!url_len && !pat_len); } ++/* ++ * Call this method when we have detected credentials within the 'url' in ++ * the form ++ * ++ * scheme://username:password@domain[:port][/path] ++ * ++ * The 'scheme_len' value should be equal to the string length of the ++ * "scheme://" portion of the URL. ++ * ++ * The fetch.credentialsInUrl config indicates what to do on such a URL, ++ * either ignoring, warning, or die()ing. The latter two modes write a ++ * redacted URL to stderr. ++ */ +static void detected_credentials_in_url(const char *url, size_t scheme_len) +{ -+ char *value = NULL; ++ const char *value; + const char *at_ptr; + const char *colon_ptr; -+ struct strbuf anonymized = STRBUF_INIT; ++ struct strbuf redacted = STRBUF_INIT; + -+ /* "ignore" is the default behavior. */ -+ if (git_config_get_string("fetch.credentialsinurl", &value) || -+ !strcasecmp("ignore", value)) -+ goto cleanup; ++ /* "allow" is the default behavior. */ ++ if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || ++ !strcmp("allow", value)) ++ return; + + at_ptr = strchr(url, '@'); + colon_ptr = strchr(url + scheme_len + 3, ':'); + ++ /* ++ * Let's do some defensive programming to ensure the given ++ * URL is of the proper format. ++ */ + if (!colon_ptr) + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, + url, (uintmax_t) scheme_len); ++ if (colon_ptr > at_ptr) ++ BUG("input url '%s' does not include credentials", ++ url); + -+ /* Include everything including the colon. */ ++ /* Include the colon when creating the redacted URL. */ + colon_ptr++; -+ strbuf_add(&anonymized, url, colon_ptr - url); -+ -+ while (colon_ptr < at_ptr) { -+ strbuf_addch(&anonymized, '*'); -+ colon_ptr++; -+ } -+ -+ strbuf_addstr(&anonymized, at_ptr); ++ strbuf_addstr(&redacted, url); ++ strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, ++ "<redacted>", 10); + -+ if (!strcasecmp("warn", value)) -+ warning(_("URL '%s' uses plaintext credentials"), anonymized.buf); -+ if (!strcasecmp("die", value)) -+ die(_("URL '%s' uses plaintext credentials"), anonymized.buf); ++ if (!strcmp("warn", value)) ++ warning(_("URL '%s' uses plaintext credentials"), redacted.buf); ++ if (!strcmp("die", value)) ++ die(_("URL '%s' uses plaintext credentials"), redacted.buf); + -+cleanup: -+ free(value); -+ strbuf_release(&anonymized); ++ strbuf_release(&redacted); +} + static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) Documentation/config/fetch.txt | 14 +++++++++ t/t5601-clone.sh | 12 ++++++++ urlmatch.c | 56 ++++++++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+) diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index cd65d236b43..7fd3ea89f5d 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,3 +96,17 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `protocol://<user>:<password>@domain/path`. Using such URLs is not + recommended as it exposes the password in multiple ways, including + Git storing the URL as plaintext in the repository config. The + `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 4a61f2c901e..387da74d175 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -71,6 +71,18 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && + grep "warning: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err && + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && + grep "fatal: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err +' + +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && + ! grep "uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' test_create_repo r0 && diff --git a/urlmatch.c b/urlmatch.c index b615adc923a..16beda37a3a 100644 --- a/urlmatch.c +++ b/urlmatch.c @@ -1,5 +1,6 @@ #include "cache.h" #include "urlmatch.h" +#include "config.h" #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" #define URL_DIGIT "0123456789" @@ -106,6 +107,59 @@ static int match_host(const struct url_info *url_info, return (!url_len && !pat_len); } +/* + * Call this method when we have detected credentials within the 'url' in + * the form + * + * scheme://username:password@domain[:port][/path] + * + * The 'scheme_len' value should be equal to the string length of the + * "scheme://" portion of the URL. + * + * The fetch.credentialsInUrl config indicates what to do on such a URL, + * either ignoring, warning, or die()ing. The latter two modes write a + * redacted URL to stderr. + */ +static void detected_credentials_in_url(const char *url, size_t scheme_len) +{ + const char *value; + const char *at_ptr; + const char *colon_ptr; + struct strbuf redacted = STRBUF_INIT; + + /* "allow" is the default behavior. */ + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || + !strcmp("allow", value)) + return; + + at_ptr = strchr(url, '@'); + colon_ptr = strchr(url + scheme_len + 3, ':'); + + /* + * Let's do some defensive programming to ensure the given + * URL is of the proper format. + */ + if (!colon_ptr) + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, + url, (uintmax_t) scheme_len); + if (colon_ptr > at_ptr) + BUG("input url '%s' does not include credentials", + url); + + /* Include the colon when creating the redacted URL. */ + colon_ptr++; + strbuf_addstr(&redacted, url); + strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, + "<redacted>", 10); + + if (!strcmp("warn", value)) + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); + if (!strcmp("die", value)) + die(_("URL '%s' uses plaintext credentials"), redacted.buf); + + strbuf_release(&redacted); +} + static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) { /* @@ -144,6 +198,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al */ size_t url_len = strlen(url); + const char *orig_url = url; struct strbuf norm; size_t spanned; size_t scheme_len, user_off=0, user_len=0, passwd_off=0, passwd_len=0; @@ -191,6 +246,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al } colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); if (colon_ptr) { + detected_credentials_in_url(orig_url, scheme_len); passwd_off = (colon_ptr + 1) - norm.buf; passwd_len = norm.len - passwd_off; user_len = (passwd_off - 1) - (scheme_len + 3); base-commit: f9b95943b68b6b8ca5a6072f50a08411c6449b55 -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget @ 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason 2022-05-27 14:43 ` Derrick Stolee 2022-05-27 18:09 ` Junio C Hamano ` (2 subsequent siblings) 3 siblings, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-05-27 14:22 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee On Fri, May 27 2022, Derrick Stolee via GitGitGadget wrote: > From: Derrick Stolee <derrickstolee@github.com> Just real quick, I hadn't taken notice of this before (the rest looks good at a glance): > + /* > + * Let's do some defensive programming to ensure the given > + * URL is of the proper format. > + */ > + if (!colon_ptr) > + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, > + url, (uintmax_t) scheme_len); > + if (colon_ptr > at_ptr) > + BUG("input url '%s' does not include credentials", > + url); So the function is renamed to detected_credentials_in_url(), so as a nit I'd expect some verb like "strip", "redact" or whatever inthe name or whatever, to make it clear what we're doing. But since the only caller here below... > + > + /* Include the colon when creating the redacted URL. */ > + colon_ptr++; > + strbuf_addstr(&redacted, url); > + strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, > + "<redacted>", 10); > + > + if (!strcmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); > + if (!strcmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), redacted.buf); > + > + strbuf_release(&redacted); > +} > + > static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) > { > /* > @@ -144,6 +198,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al > */ > > size_t url_len = strlen(url); > + const char *orig_url = url; > struct strbuf norm; > size_t spanned; > size_t scheme_len, user_off=0, user_len=0, passwd_off=0, passwd_len=0; > @@ -191,6 +246,7 @@ static char *url_normalize_1(const char *url, struct url_info *out_info, char al > } > colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); > if (colon_ptr) { > + detected_credentials_in_url(orig_url, scheme_len); Has already done the work of finding the colon_ptr (and at_ptr) why re-do that paranoia since we have a static function, we could just pass the two pointers we found already to strbuf_splice(). This also seems really close to something we could just add to strbuf.c as e.g a strbuf_splice_to(). I.e. just: int strbuf_splice_to(const struct strbuf *in, struct strbuf *sb, size_t pos, size_t len, const void *data, size_t data_len); Which would be used as: struct strbuf sb = STRBUF_INIT; if (!strbuf_splice_to(url, &redacted, /* same as strbuf_splice(...) */)) warn("oh noes a password in %s", sb.buf); else warn("have no password in %s, no replacement done", url->buf); Which re earlier talk of sharing an implementation with the other <redacted> code looks like it could be dropped into the relevant part of pkt-line.c. But maybe that's all going overboard :) ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason @ 2022-05-27 14:43 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-27 14:43 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 5/27/2022 10:22 AM, Ævar Arnfjörð Bjarmason wrote: > > On Fri, May 27 2022, Derrick Stolee via GitGitGadget wrote: > >> From: Derrick Stolee <derrickstolee@github.com> > > Just real quick, I hadn't taken notice of this before (the rest looks > good at a glance): > >> + /* >> + * Let's do some defensive programming to ensure the given >> + * URL is of the proper format. >> + */ >> + if (!colon_ptr) >> + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, >> + url, (uintmax_t) scheme_len); >> + if (colon_ptr > at_ptr) >> + BUG("input url '%s' does not include credentials", >> + url); > > So the function is renamed to detected_credentials_in_url(), so as a nit > I'd expect some verb like "strip", "redact" or whatever inthe name or > whatever, to make it clear what we're doing. The name means "Do what needs to be done when creds are detected in a URL". If we decide to change the response to creds in a URL, then we would change the implementation without changing the name. >> colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); >> if (colon_ptr) { >> + detected_credentials_in_url(orig_url, scheme_len); > > Has already done the work of finding the colon_ptr (and at_ptr) why > re-do that paranoia since we have a static function, Unfortunately, at this point 'url' is not equal to 'orig_url' and 'colon_ptr' isn't even within the 'orig_url' string. It's been copied and mutated. It was my first instinct to share as much as possible, which is why 'schema' is reused. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason @ 2022-05-27 18:09 ` Junio C Hamano 2022-05-27 18:40 ` Junio C Hamano 2022-05-30 0:16 ` Junio C Hamano 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget 3 siblings, 1 reply; 40+ messages in thread From: Junio C Hamano @ 2022-05-27 18:09 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt > index cd65d236b43..7fd3ea89f5d 100644 > --- a/Documentation/config/fetch.txt > +++ b/Documentation/config/fetch.txt > @@ -96,3 +96,17 @@ fetch.writeCommitGraph:: > merge and the write may take longer. Having an updated commit-graph > file helps performance of many Git commands, including `git merge-base`, > `git push -f`, and `git log --graph`. Defaults to false. > + > +fetch.credentialsInUrl:: > + A URL can contain plaintext credentials in the form > + `protocol://<user>:<password>@domain/path`. Using such URLs is not In the above, 'protocol', 'domain' and 'path' are all placeholders, just like <user> and <password> are, and it made me wonder if we should be consistent. Enclosing all placeholders in <angle-braket> pairs would make the resulting text too loud, so it may make sense to drop these highlights around user and password. That makes it consistent with what git-credential-store.txt, git-svn.txt, gitfaq.txt and urls.txt do git-credential-store.txt:https://user:pass@example.com git-svn.txt: the URL, e.g. `svn+ssh://foo@svn.bar.com/project` gitfaq.txt:$ echo url=https://author@git.example.org | git credential reject gitfaq.txt: https://author@git.example.org/org1/project1.git and gitfaq.txt: https://committer@git.example.org/org2/project2.git. This way, when you gitfaq.txt: origin https://author@git.example.org/org1/project1.git` (see > + recommended as it exposes the password in multiple ways, including > + Git storing the URL as plaintext in the repository config. The > + `fetch.credentialsInUrl` option provides instruction for how Git > + should react to seeing such a URL, with these values: > ++ > +* `allow` (default): Git will proceed with its activity without warning. > +* `warn`: Git will write a warning message to `stderr` when parsing a URL > + with a plaintext credential. > +* `die`: Git will write a failure message to `stderr` when parsing a URL > + with a plaintext credential. Good. > diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh > index 4a61f2c901e..387da74d175 100755 > --- a/t/t5601-clone.sh > +++ b/t/t5601-clone.sh > @@ -71,6 +71,18 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' > > ' > > +test_expect_success 'clone warns or fails when using username:password' ' > + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && > + grep "warning: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err && > + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && > + grep "fatal: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err > +' > + > +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' > + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && > + ! grep "uses plaintext credentials" err > +' Could we have one negative test here, too? I.e. with an explicit -c fetch.credentialsInUrl=allow given, no credential-in-URL errors and warnings should be issued. > diff --git a/urlmatch.c b/urlmatch.c > index b615adc923a..16beda37a3a 100644 > --- a/urlmatch.c > +++ b/urlmatch.c > @@ -1,5 +1,6 @@ > #include "cache.h" > #include "urlmatch.h" > +#include "config.h" > > #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" > #define URL_DIGIT "0123456789" > @@ -106,6 +107,59 @@ static int match_host(const struct url_info *url_info, > return (!url_len && !pat_len); > } > > +/* > + * Call this method when we have detected credentials within the 'url' in > + * the form > + * > + * scheme://username:password@domain[:port][/path] > + * > + * The 'scheme_len' value should be equal to the string length of the > + * "scheme://" portion of the URL. "scheme" is probably more technically correct here, even though in the documentation that faces the end-users, "protocol" would be more widely understood, so I think this inconsistency in a single patch across paths is a good thing ;-) > + * The fetch.credentialsInUrl config indicates what to do on such a URL, > + * either ignoring, warning, or die()ing. The latter two modes write a > + * redacted URL to stderr. > + */ > +static void detected_credentials_in_url(const char *url, size_t scheme_len) > +{ > + const char *value; > + const char *at_ptr; > + const char *colon_ptr; > + struct strbuf redacted = STRBUF_INIT; > + > + /* "allow" is the default behavior. */ > + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || > + !strcmp("allow", value)) > + return; OK. > + at_ptr = strchr(url, '@'); > + colon_ptr = strchr(url + scheme_len + 3, ':'); I am debating myself if we should explain "+ 3" that counts "://" in a comment, but it probably is trivial to see. > + /* > + * Let's do some defensive programming to ensure the given > + * URL is of the proper format. > + */ > + if (!colon_ptr) > + BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, > + url, (uintmax_t) scheme_len); > + if (colon_ptr > at_ptr) > + BUG("input url '%s' does not include credentials", > + url); OK. The caller shouldn't have called us in these two cases. > + /* Include the colon when creating the redacted URL. */ > + colon_ptr++; > + strbuf_addstr(&redacted, url); > + strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, > + "<redacted>", 10); > + > + if (!strcmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); > + if (!strcmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), redacted.buf); > + > + strbuf_release(&redacted); OK. Let's look at the caller. > if (colon_ptr) { > + detected_credentials_in_url(orig_url, scheme_len); > passwd_off = (colon_ptr + 1) - norm.buf; > passwd_len = norm.len - passwd_off; > user_len = (passwd_off - 1) - (scheme_len + 3); The caller apparently knows where the password and username are at this point. It is unclear which string these offsets are pointing into at this point, but at the end of the function, we have the offset and length of user and passwd that point into result, all in our local variables, even when out_info is NULL. result = strbuf_detach(&norm, &result_len); if (out_info) { out_info->url = result; out_info->err = NULL; out_info->url_len = result_len; out_info->scheme_len = scheme_len; out_info->user_off = user_off; out_info->user_len = user_len; out_info->passwd_off = passwd_off; out_info->passwd_len = passwd_len; out_info->host_off = host_off; out_info->host_len = host_len; out_info->port_off = port_off; out_info->port_len = port_len; out_info->path_off = path_off; out_info->path_len = path_len; } return result; It does make me wonder if we want another parser in the new function. Wouldn't it be easier to manage if we inserted a call to if (passwd_off) apply_fetch_credentials_in_url(result, user_off, user_len, passwd_off, passwd_len); just after the strbuf_detach() we see near the end of the function, where apply_fetch_credentials_in_url() only reads the configuration and calls warning or die as appropriate? ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-27 18:09 ` Junio C Hamano @ 2022-05-27 18:40 ` Junio C Hamano 0 siblings, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-05-27 18:40 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee Junio C Hamano <gitster@pobox.com> writes: > It does make me wonder if we want another parser in the new > function. Wouldn't it be easier to manage if we inserted a > call to > > if (passwd_off) > apply_fetch_credentials_in_url(result, > user_off, user_len, passwd_off, passwd_len); > > just after the strbuf_detach() we see near the end of the function, where > apply_fetch_credentials_in_url() only reads the configuration and > calls warning or die as appropriate? The new function does not even have to take user_off and user_len, and work only with the while string with <ofs,len> pair for the password, I think, as that is the only thing it redacts in the output. Sorry about the noise. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason 2022-05-27 18:09 ` Junio C Hamano @ 2022-05-30 0:16 ` Junio C Hamano 2022-05-31 13:32 ` Derrick Stolee 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget 3 siblings, 1 reply; 40+ messages in thread From: Junio C Hamano @ 2022-05-30 0:16 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > Create a new "fetch.credentialsInUrl" config option and teach Git to > warn or die when seeing a URL with this kind of information. The warning > anonymizes the sensitive information of the URL to be clear about the > issue. > > This change currently defaults the behavior to "allow" which does > nothing with these URLs. We can consider changing this behavior to > "warn" by default if we wish. At that time, we may want to add some > advice about setting fetch.credentialsInUrl=ignore for users who still > want to follow this pattern (and not receive the warning). Can we make this die in a bit more controlled way? e.g. https://github.com/git/git/runs/6646450422 seems to show that depending on the timing, the call to die() on the "git clone" side may cause us stop reading early enough to kill the other side with SIGPIPE. The nicely prepared warning message seems to be lost. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v2] urlmatch: create fetch.credentialsInUrl config 2022-05-30 0:16 ` Junio C Hamano @ 2022-05-31 13:32 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-05-31 13:32 UTC (permalink / raw) To: Junio C Hamano, Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 5/29/2022 8:16 PM, Junio C Hamano wrote: > "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > >> Create a new "fetch.credentialsInUrl" config option and teach Git to >> warn or die when seeing a URL with this kind of information. The warning >> anonymizes the sensitive information of the URL to be clear about the >> issue. >> >> This change currently defaults the behavior to "allow" which does >> nothing with these URLs. We can consider changing this behavior to >> "warn" by default if we wish. At that time, we may want to add some >> advice about setting fetch.credentialsInUrl=ignore for users who still >> want to follow this pattern (and not receive the warning). > > Can we make this die in a bit more controlled way? > > e.g. https://github.com/git/git/runs/6646450422 seems to show that > depending on the timing, the call to die() on the "git clone" side > may cause us stop reading early enough to kill the other side with > SIGPIPE. The nicely prepared warning message seems to be lost. Thanks for pointing this out. It took a while for me to reproduce this with --stress, but I can get it to happen on my machine. Investigating now. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v3 0/2] fetch: create fetch.credentialsInUrl config 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget ` (2 preceding siblings ...) 2022-05-30 0:16 ` Junio C Hamano @ 2022-06-01 1:16 ` Derrick Stolee via GitGitGadget 2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget ` (2 more replies) 3 siblings, 3 replies; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-06-01 1:16 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee Users can specify credentials in their URL using the username:password@domain format. This is potentially hazardous since the URL is stored in plaintext and can also appear in trace2 logs and other places. Add a new config option that allows warnings or failures when discovering URLs with this format. The default behavior does not change in this series, although we may want to move to the warn state by default in the future. This is a modified version of the patch I submitted a while ago [1]. Based on the feedback, changing the behavior to fail by default was not a good approach. Further, the idea to stop storing the credentials in config and redirect them to a credential manager was already considered by Peff [2] but not merged. This patch does what should be the simplest thing we can do: create a config option that will cause the user to get a warning or a failure, depending on its value. The default is to ignore the setting, identical to the current behavior. We can talk about changing this default to "warn" in the future, but it would be safest to release with ignore as the default until we are sure that we are not going to start warning on false positives. This patch would be sufficient for the interested internal parties that want to prevent users from storing credentials this way. System administrators can modify system-level Git config into "die" mode to prevent this behavior. [1] https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com Reject passwords in URLs (April 2021). [2] https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/ Re: Git ransom campaign incident report - May 2019 Updates in v3 ============= * Because of some flaky behavior around SIGPIPE, the URL check needed to move to be earlier in the command. * For this reason, I moved the cred check into remote.c's valid_remote() check. This changed the previous BUG() statements into early returns. * I repeated the check with the test suite to see if this parsing fails on any existing cases, but it is worth double-checking the parsing rules. * Documentation is more consistent about using placeholders. * A test for the "allow" case is now included. * A new patch is added that creates the warn_once() helper. This reduces multiple advisory warnings with the same text from being written by the same process. Updates in v2 ============= * Documentation is slightly expanded to include the fact that Git stores the given URL as plaintext in its config. * The new method has a new documentation comment that details the necessary preconditions. * "ignore" is now "allow" * Additional checks on colon_ptr are added. * Use strbuf_splice() instead of custom string-walking logic. * Use "" instead of asterisks. * Config value checks are no longer case sensitive. Thanks, -Stolee Derrick Stolee (2): remote: create fetch.credentialsInUrl config usage: add warn_once() helper for repeated warnings Documentation/config/fetch.txt | 14 ++++++++++ git-compat-util.h | 1 + remote.c | 48 ++++++++++++++++++++++++++++++++++ t/t5601-clone.sh | 17 ++++++++++++ usage.c | 22 ++++++++++++++++ 5 files changed, 102 insertions(+) base-commit: f9b95943b68b6b8ca5a6072f50a08411c6449b55 Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1237%2Fderrickstolee%2Fcreds-in-url-v3 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1237/derrickstolee/creds-in-url-v3 Pull-Request: https://github.com/gitgitgadget/git/pull/1237 Range-diff vs v2: 1: 364f5c37c70 ! 1: 083a918e9b1 urlmatch: create fetch.credentialsInUrl config @@ Metadata Author: Derrick Stolee <derrickstolee@github.com> ## Commit message ## - urlmatch: create fetch.credentialsInUrl config + remote: create fetch.credentialsInUrl config Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the @@ Commit message advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). + An earlier version of this change injected the logic into + url_normalize() in urlmatch.c. While most code paths that parse URLs + eventually normalize the URL, that normalization does not happen early + enough in the stack to avoid attempting connections to the URL first. By + inserting a check into the remote validation, we identify the issue + before making a connection. In the old code path, this was revealed by + testing the new t5601-clone.sh test under --stress, resulting in an + instance where the return code was 13 (SIGPIPE) instead of 128 from the + die(). + + Since we are not deep within url_normalize(), we need to do our own + parsing to detect if there is a "username:password@domain" section. We + begin by detecting the first '@' symbol in the URL. We then detect if + there is a scheme such as "https://" by finding the first slash. If that + slash does not exist or is after the first '@' symbol, then we consider + the scheme to be complete before the URL. Finally, we look for a colon + between the scheme and the '@' symbol, indicating a "username:password" + string. Replace the password with "<redacted>" when writing the error + message. + As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the @@ Documentation/config/fetch.txt: fetch.writeCommitGraph:: + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form -+ `protocol://<user>:<password>@domain/path`. Using such URLs is not -+ recommended as it exposes the password in multiple ways, including -+ Git storing the URL as plaintext in the repository config. The -+ `fetch.credentialsInUrl` option provides instruction for how Git ++ `<protocol>://<user>:<password>@<domain>/<path>`. Using such URLs ++ is not recommended as it exposes the password in multiple ways, ++ including Git storing the URL as plaintext in the repository config. ++ The `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `allow` (default): Git will proceed with its activity without warning. @@ Documentation/config/fetch.txt: fetch.writeCommitGraph:: +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. - ## t/t5601-clone.sh ## -@@ t/t5601-clone.sh: test_expect_success 'clone respects GIT_WORK_TREE' ' - - ' - -+test_expect_success 'clone warns or fails when using username:password' ' -+ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && -+ grep "warning: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err && -+ test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && -+ grep "fatal: URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" err -+' -+ -+test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' -+ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && -+ ! grep "uses plaintext credentials" err -+' -+ - test_expect_success 'clone from hooks' ' - - test_create_repo r0 && - - ## urlmatch.c ## -@@ - #include "cache.h" - #include "urlmatch.h" -+#include "config.h" - - #define URL_ALPHA "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" - #define URL_DIGIT "0123456789" -@@ urlmatch.c: static int match_host(const struct url_info *url_info, - return (!url_len && !pat_len); - } + ## remote.c ## +@@ remote.c: struct counted_string { + const char *s; + }; +/* -+ * Call this method when we have detected credentials within the 'url' in -+ * the form ++ * Check if the given URL is of the following form: + * + * scheme://username:password@domain[:port][/path] + * -+ * The 'scheme_len' value should be equal to the string length of the -+ * "scheme://" portion of the URL. ++ * Specifically, see if the ":password@" section of the URL appears. + * + * The fetch.credentialsInUrl config indicates what to do on such a URL, -+ * either ignoring, warning, or die()ing. The latter two modes write a ++ * either ignoring, warning, or erroring. The latter two modes write a + * redacted URL to stderr. + */ -+static void detected_credentials_in_url(const char *url, size_t scheme_len) ++static void check_if_creds_in_url(const char *url) +{ -+ const char *value; -+ const char *at_ptr; -+ const char *colon_ptr; ++ const char *value, *scheme_ptr, *colon_ptr, *at_ptr; + struct strbuf redacted = STRBUF_INIT; + + /* "allow" is the default behavior. */ @@ urlmatch.c: static int match_host(const struct url_info *url_info, + !strcmp("allow", value)) + return; + -+ at_ptr = strchr(url, '@'); -+ colon_ptr = strchr(url + scheme_len + 3, ':'); ++ if (!(at_ptr = strchr(url, '@'))) ++ return; + -+ /* -+ * Let's do some defensive programming to ensure the given -+ * URL is of the proper format. -+ */ -+ if (!colon_ptr) -+ BUG("failed to find colon in url '%s' with scheme_len %"PRIuMAX, -+ url, (uintmax_t) scheme_len); -+ if (colon_ptr > at_ptr) -+ BUG("input url '%s' does not include credentials", -+ url); ++ if (!(scheme_ptr = strchr(url, '/')) || ++ scheme_ptr > at_ptr) ++ scheme_ptr = url; ++ ++ if (!(colon_ptr = strchr(scheme_ptr, ':'))) ++ return; + + /* Include the colon when creating the redacted URL. */ + colon_ptr++; @@ urlmatch.c: static int match_host(const struct url_info *url_info, + strbuf_release(&redacted); +} + - static char *url_normalize_1(const char *url, struct url_info *out_info, char allow_globs) + static int valid_remote(const struct remote *remote) { - /* -@@ urlmatch.c: static char *url_normalize_1(const char *url, struct url_info *out_info, char al - */ ++ for (int i = 0; i < remote->url_nr; i++) ++ check_if_creds_in_url(remote->url[i]); ++ + return (!!remote->url) || (!!remote->foreign_vcs); + } + + + ## t/t5601-clone.sh ## +@@ t/t5601-clone.sh: test_expect_success 'clone respects GIT_WORK_TREE' ' + + ' - size_t url_len = strlen(url); -+ const char *orig_url = url; - struct strbuf norm; - size_t spanned; - size_t scheme_len, user_off=0, user_len=0, passwd_off=0, passwd_len=0; -@@ urlmatch.c: static char *url_normalize_1(const char *url, struct url_info *out_info, char al - } - colon_ptr = strchr(norm.buf + scheme_len + 3, ':'); - if (colon_ptr) { -+ detected_credentials_in_url(orig_url, scheme_len); - passwd_off = (colon_ptr + 1) - norm.buf; - passwd_len = norm.len - passwd_off; - user_len = (passwd_off - 1) - (scheme_len + 3); ++test_expect_success 'clone warns or fails when using username:password' ' ++ test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && ++ ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && ++ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && ++ grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && ++ test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && ++ grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err ++' ++ ++test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' ++ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && ++ ! grep "uses plaintext credentials" err ++' ++ + test_expect_success 'clone from hooks' ' + + test_create_repo r0 && -: ----------- > 2: 8e29ac807c6 usage: add warn_once() helper for repeated warnings -- gitgitgadget ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v3 1/2] remote: create fetch.credentialsInUrl config 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget @ 2022-06-01 1:16 ` Derrick Stolee via GitGitGadget 2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason 2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget 2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2 siblings, 1 reply; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-06-01 1:16 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the .git/config file, this is a very insecure way of storing these credentials. Credential managers are a more secure way of storing this information. System administrators might want to prevent this kind of use by users on their machines. Create a new "fetch.credentialsInUrl" config option and teach Git to warn or die when seeing a URL with this kind of information. The warning anonymizes the sensitive information of the URL to be clear about the issue. This change currently defaults the behavior to "allow" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). An earlier version of this change injected the logic into url_normalize() in urlmatch.c. While most code paths that parse URLs eventually normalize the URL, that normalization does not happen early enough in the stack to avoid attempting connections to the URL first. By inserting a check into the remote validation, we identify the issue before making a connection. In the old code path, this was revealed by testing the new t5601-clone.sh test under --stress, resulting in an instance where the return code was 13 (SIGPIPE) instead of 128 from the die(). Since we are not deep within url_normalize(), we need to do our own parsing to detect if there is a "username:password@domain" section. We begin by detecting the first '@' symbol in the URL. We then detect if there is a scheme such as "https://" by finding the first slash. If that slash does not exist or is after the first '@' symbol, then we consider the scheme to be complete before the URL. Finally, we look for a colon between the scheme and the '@' symbol, indicating a "username:password" string. Replace the password with "<redacted>" when writing the error message. As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the explicit username:password URLs used in t5550-http-fetch-dumb.sh and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- Documentation/config/fetch.txt | 14 ++++++++++ remote.c | 48 ++++++++++++++++++++++++++++++++++ t/t5601-clone.sh | 14 ++++++++++ 3 files changed, 76 insertions(+) diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index cd65d236b43..0db7fe85bb8 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,3 +96,17 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `<protocol>://<user>:<password>@<domain>/<path>`. Using such URLs + is not recommended as it exposes the password in multiple ways, + including Git storing the URL as plaintext in the repository config. + The `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. diff --git a/remote.c b/remote.c index 42a4e7106e1..accf08bf51f 100644 --- a/remote.c +++ b/remote.c @@ -22,8 +22,56 @@ struct counted_string { const char *s; }; +/* + * Check if the given URL is of the following form: + * + * scheme://username:password@domain[:port][/path] + * + * Specifically, see if the ":password@" section of the URL appears. + * + * The fetch.credentialsInUrl config indicates what to do on such a URL, + * either ignoring, warning, or erroring. The latter two modes write a + * redacted URL to stderr. + */ +static void check_if_creds_in_url(const char *url) +{ + const char *value, *scheme_ptr, *colon_ptr, *at_ptr; + struct strbuf redacted = STRBUF_INIT; + + /* "allow" is the default behavior. */ + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || + !strcmp("allow", value)) + return; + + if (!(at_ptr = strchr(url, '@'))) + return; + + if (!(scheme_ptr = strchr(url, '/')) || + scheme_ptr > at_ptr) + scheme_ptr = url; + + if (!(colon_ptr = strchr(scheme_ptr, ':'))) + return; + + /* Include the colon when creating the redacted URL. */ + colon_ptr++; + strbuf_addstr(&redacted, url); + strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, + "<redacted>", 10); + + if (!strcmp("warn", value)) + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); + if (!strcmp("die", value)) + die(_("URL '%s' uses plaintext credentials"), redacted.buf); + + strbuf_release(&redacted); +} + static int valid_remote(const struct remote *remote) { + for (int i = 0; i < remote->url_nr; i++) + check_if_creds_in_url(remote->url[i]); + return (!!remote->url) || (!!remote->foreign_vcs); } diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 4a61f2c901e..cba3553b7c4 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -71,6 +71,20 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' + test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && + ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && + grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && + grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err +' + +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && + ! grep "uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' test_create_repo r0 && -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v3 1/2] remote: create fetch.credentialsInUrl config 2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget @ 2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason 2022-06-02 13:38 ` Derrick Stolee 0 siblings, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-06-01 19:19 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: > From: Derrick Stolee <derrickstolee@github.com> > > + for (int i = 0; i < remote->url_nr; i++) I think we're trying to avoid that bit of C99 in general use until Junio's canary graduates. See 6563706568b (CodingGuidelines: give deadline for "for (int i = 0; ...", 2022-03-30). ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 1/2] remote: create fetch.credentialsInUrl config 2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason @ 2022-06-02 13:38 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-06-02 13:38 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 6/1/2022 3:19 PM, Ævar Arnfjörð Bjarmason wrote: > > On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: > >> From: Derrick Stolee <derrickstolee@github.com> >> >> + for (int i = 0; i < remote->url_nr; i++) > > I think we're trying to avoid that bit of C99 in general use until > Junio's canary graduates. See 6563706568b (CodingGuidelines: give > deadline for "for (int i = 0; ...", 2022-03-30). Ah, thanks. I remembered that canary going out a long time ago, but forgot to check if we had committed to it. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget 2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget @ 2022-06-01 1:16 ` Derrick Stolee via GitGitGadget 2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason 2022-06-01 20:40 ` Junio C Hamano 2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2 siblings, 2 replies; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-06-01 1:16 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> The previous change added a warning when valid_remote() detects credentials in the URL. Since remotes are validated multiple times per process, this causes multiple warnings to print. To avoid these kinds of repeated, advisory warnings, create a new warn_once() helper that behaves the same as warning(), but only after formatting the output string and adding it to a strset. If that addition signals that the string already exists in the strset, then do not print the warning. In the case of the credentials in a URL, the existing test demonstrates this per-process limitation: 'git clone' runs 'git-remote-curl' as a child process, giving two messages. This is an improvement over the previous six messages. Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- git-compat-util.h | 1 + remote.c | 2 +- t/t5601-clone.sh | 5 ++++- usage.c | 22 ++++++++++++++++++++++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/git-compat-util.h b/git-compat-util.h index 58fd813bd01..776a5f660aa 100644 --- a/git-compat-util.h +++ b/git-compat-util.h @@ -526,6 +526,7 @@ int error(const char *err, ...) __attribute__((format (printf, 1, 2))); int error_errno(const char *err, ...) __attribute__((format (printf, 1, 2))); void warning(const char *err, ...) __attribute__((format (printf, 1, 2))); void warning_errno(const char *err, ...) __attribute__((format (printf, 1, 2))); +void warn_once(const char *warn, ...) __attribute__((format (printf, 1, 2))); #ifndef NO_OPENSSL #ifdef APPLE_COMMON_CRYPTO diff --git a/remote.c b/remote.c index accf08bf51f..72fffd0d968 100644 --- a/remote.c +++ b/remote.c @@ -60,7 +60,7 @@ static void check_if_creds_in_url(const char *url) "<redacted>", 10); if (!strcmp("warn", value)) - warning(_("URL '%s' uses plaintext credentials"), redacted.buf); + warn_once(_("URL '%s' uses plaintext credentials"), redacted.buf); if (!strcmp("die", value)) die(_("URL '%s' uses plaintext credentials"), redacted.buf); diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index cba3553b7c4..6ae3eec9eb6 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -75,7 +75,10 @@ test_expect_success 'clone warns or fails when using username:password' ' test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && - grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && + grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err >warnings && + # The warning is printed twice, for the two processes: + # "git clone" and "git-remote-curl". + test_line_count = 2 warnings && test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err ' diff --git a/usage.c b/usage.c index b738dd178b3..242633c5f8d 100644 --- a/usage.c +++ b/usage.c @@ -5,6 +5,7 @@ */ #include "git-compat-util.h" #include "cache.h" +#include "strmap.h" static void vreportf(const char *prefix, const char *err, va_list params) { @@ -287,6 +288,27 @@ void warning(const char *warn, ...) va_end(params); } +static struct strset prev_warnings = STRSET_INIT; + +void warn_once(const char *warn, ...) +{ + char buf[1024]; + va_list params; + va_start(params, warn); + + if (vsnprintf(buf, sizeof(buf), warn, params) >= 0) { + if (!strset_add(&prev_warnings, buf)) { + va_end(params); + return; + } + } + va_end(params); + + va_start(params, warn); + warn_routine(warn, params); + va_end(params); +} + /* Only set this, ever, from t/helper/, when verifying that bugs are caught. */ int BUG_exit_code; -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget @ 2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason 2022-06-01 18:42 ` Derrick Stolee 2022-06-01 20:40 ` Junio C Hamano 1 sibling, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-06-01 12:29 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: > From: Derrick Stolee <derrickstolee@github.com> > > The previous change added a warning when valid_remote() detects > credentials in the URL. Since remotes are validated multiple times per > process, this causes multiple warnings to print. Why are we validating remotes multiple times per process? Can't we just do it once? Is this a case of two callers going through the whole machinery and not being aware of one another? Perhaps it's a pain to deal with that in this case, but it would be better to note why here than taking it as a given. > To avoid these kinds of repeated, advisory warnings, create a new > warn_once() helper that behaves the same as warning(), but only after > formatting the output string and adding it to a strset. If that addition > signals that the string already exists in the strset, then do not print > the warning. This feels quite iffy given the low-level API & the rest of it aiming to be thread-safe, see 2d3c02f5db6 (die(): stop hiding errors due to overzealous recursion guard, 2017-06-21) for such a case. I.e. there *is* racy code there already that (ab)uses a no-lock pattern to optimistically abort early when we'd emit N of the same recursion message. But are we as confident that concurrent strset callers in multiple threads will behave themselves? I'd think we should be adding this to the caller that knows it's not threaded, e.g. whatever calls check_if_creds_in_url(). > In the case of the credentials in a URL, the existing test demonstrates > this per-process limitation: 'git clone' runs 'git-remote-curl' as a > child process, giving two messages. This is an improvement over the > previous six messages. If we know about this limitation and we're going to be checking the same URLs why not do slightly better and pass down a "don't warn please" to the sub-process? Or do we think it might warn about *different* URLs, aren't these always the same (i.e. we read the full config)? If you used advice instead of a warning you'd get a config key to pass for free to disable it, and that might be a better thing to do in any case (i.e. a better fit for this case). But we could also just check getenv("GIT_URL_REDACTED_WARNING") or whatever, which seems easy enough... > diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh > index cba3553b7c4..6ae3eec9eb6 100755 > --- a/t/t5601-clone.sh > +++ b/t/t5601-clone.sh > @@ -75,7 +75,10 @@ test_expect_success 'clone warns or fails when using username:password' ' > test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && > ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && > test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && > - grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && > + grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err >warnings && > + # The warning is printed twice, for the two processes: > + # "git clone" and "git-remote-curl". > + test_line_count = 2 warnings && > test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && > grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err > ' Hrm, between 1/2 and this I think this is a good example of a "just use test_cmp" caveat. I.e. reading 1/2 it's snuck past us that there's this existing caveat in the warning being added, i.e. that we should really warn 1 times, but are doing in N times, but as we use ad-hoc "grep" instead of test_cmp-ing the full output that's not obvious. I think this would be much more obvious as: warning="<your warning msg>" && cat >expect <<-EOF && $warning $warning EOF Or whatever, followed by a: test_cmp expect actual Then 1/2 could make a brief note that we're leaving this duplication issue for now, and 2/2 would fix it. But even better (and per the above, I'm not convinced about the direction, but leaving that aside): Here we have a choice between having 1/2 and 2/2 in that order and having 2/2 add a new API that has its first user right away, but at the cost of fixing a bug we just introduced in 1/2. I think even if we can't find another API user for this proposed usage.c addition, just adding it without a user & adding what's now 1/2 as the 2nd commit would be preferrable. Then we're not doing a "oops, bug fix" while we're at it. > +static struct strset prev_warnings = STRSET_INIT; > + > +void warn_once(const char *warn, ...) > +{ If we do end up keeping this (per the above I'm thinking while it's just this caller it should probably own this problem): I have a local change to clean up this warn v.s. warning inconsistency in usage.c, but now it's all in internal code. But let's not add to it by adding a warn_once(), it should be called warning_once(). We're also missing an "errno" variant, which might be fine for now, ditto variants for the other non-fatal functions (error & die_message). That might be OK for now, but probably worth noting. > +void warn_once(const char *warn, ...) > +{ > + char buf[1024]; > + va_list params; > + va_start(params, warn); > + > + if (vsnprintf(buf, sizeof(buf), warn, params) >= 0) { It doesn't matter for the end result, but let's compare with "< 0" like the other vsnprintf() caller in the file. And how is this unlike that vsnprintf() in not needing the same error handling vreportf() does here: *p = '\0'; /* vsnprintf() failed, clip at prefix */ Seems like either a bug, or that other code being something we should be dropping. > + if (!strset_add(&prev_warnings, buf)) { More on the general API usability front: E.g. builtin/pack-objects.c seems like it could make use of thing like this in two places. But the API you've added here would only be usable for 1/2, i.e. you format and de-dup on the full warning, whereas at least 1/2 of those callers wants to de-dup on the un-formatted string (grep for 'static int warned'). Which (and I'm sounding like a broken record:) is another thing that me wonder if the general API is premature, i.e. it's a red flag that we have existing code that could benefit from it, if not for an arbitrary limitation, in this case fixing the limitation would mean the churn of either adding a new function, or a new parameter to all callers. I.e. a "int dedup_on_args" or similar. > + va_end(params); > + return; > + } > + } > + va_end(params); > + > + va_start(params, warn); I'm rusty on the varargs API (and haven't tested) but didn't we need va_copy() if we're iterating twice, or was that just if we're passing it to another function and using it ourselves... ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason @ 2022-06-01 18:42 ` Derrick Stolee 2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason 2022-06-01 20:21 ` Junio C Hamano 0 siblings, 2 replies; 40+ messages in thread From: Derrick Stolee @ 2022-06-01 18:42 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget Cc: git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 6/1/2022 8:29 AM, Ævar Arnfjörð Bjarmason wrote:> > On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: > >> From: Derrick Stolee <derrickstolee@github.com> >> >> The previous change added a warning when valid_remote() detects >> credentials in the URL. Since remotes are validated multiple times per >> process, this causes multiple warnings to print. > > Why are we validating remotes multiple times per process? Can't we just > do it once? > > Is this a case of two callers going through the whole machinery and not > being aware of one another? > > Perhaps it's a pain to deal with that in this case, but it would be > better to note why here than taking it as a given. We could certainly investigate this more, but it seems like a more problematic approach than the one taken here. We could add a "is_valid" bit to struct remote, but then could some code path modify that struct after it was validated? >> To avoid these kinds of repeated, advisory warnings, create a new >> warn_once() helper that behaves the same as warning(), but only after >> formatting the output string and adding it to a strset. If that addition >> signals that the string already exists in the strset, then do not print >> the warning. > > This feels quite iffy given the low-level API & the rest of it aiming to > be thread-safe, see 2d3c02f5db6 (die(): stop hiding errors due to > overzealous recursion guard, 2017-06-21) for such a case. It makes sense to keep the low-level library as thread-safe as possible. Would it be enough to document this particular caller as not thread-safe? >> In the case of the credentials in a URL, the existing test demonstrates >> this per-process limitation: 'git clone' runs 'git-remote-curl' as a >> child process, giving two messages. This is an improvement over the >> previous six messages. > > If we know about this limitation and we're going to be checking the same > URLs why not do slightly better and pass down a "don't warn please" to > the sub-process?>> Or do we think it might warn about *different* URLs, aren't these always > the same (i.e. we read the full config)? While this example of 'git clone' to 'git-remote-curl' will not use a different URL, I can imagine other child process connections that could expose a different URL. Having a blanket statement "don't emit these warnings" seems unlikely to be helpful for those cases. > If you used advice instead of a warning you'd get a config key to pass > for free to disable it, and that might be a better thing to do in any > case (i.e. a better fit for this case). But we could also just check > getenv("GIT_URL_REDACTED_WARNING") or whatever, which seems easy > enough... To make the environment variable work properly, we would need to pass a list of URLs in the variable that could seed the strset, to avoid dropping warnings for new cases as mentioned earlier. >> diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh >> index cba3553b7c4..6ae3eec9eb6 100755 >> --- a/t/t5601-clone.sh >> +++ b/t/t5601-clone.sh >> @@ -75,7 +75,10 @@ test_expect_success 'clone warns or fails when using username:password' ' >> test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && >> ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && >> test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && >> - grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && >> + grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err >warnings && >> + # The warning is printed twice, for the two processes: >> + # "git clone" and "git-remote-curl". >> + test_line_count = 2 warnings && >> test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && >> grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err >> ' > > Hrm, between 1/2 and this I think this is a good example of a "just use > test_cmp" caveat. > > I.e. reading 1/2 it's snuck past us that there's this existing caveat in > the warning being added, i.e. that we should really warn 1 times, but > are doing in N times, but as we use ad-hoc "grep" instead of > test_cmp-ing the full output that's not obvious. > > I think this would be much more obvious as: > > warning="<your warning msg>" && > cat >expect <<-EOF && > $warning > $warning > EOF There are other warnings coming over stderr, including the "Cloning into..." message and the resulting "fatal:" message because that URL doesn't actually exist. I chose to decouple this test to the exact phrasing of those messages. > But even better (and per the above, I'm not convinced about the > direction, but leaving that aside): Here we have a choice between having > 1/2 and 2/2 in that order and having 2/2 add a new API that has its > first user right away, but at the cost of fixing a bug we just > introduced in 1/2. > > I think even if we can't find another API user for this proposed usage.c > addition, just adding it without a user & adding what's now 1/2 as the > 2nd commit would be preferrable. Then we're not doing a "oops, bug fix" > while we're at it. I wouldn't call this a "oops, bug fix" but instead "let's improve what was working, but noisy." This also gives us the opportunity to see the code in usage.c get tested immediately as it is introduced, which is an important property to keep in mind when organizing a patch series. >> +static struct strset prev_warnings = STRSET_INIT; >> + >> +void warn_once(const char *warn, ...) >> +{ > > If we do end up keeping this (per the above I'm thinking while it's just > this caller it should probably own this problem): > > I have a local change to clean up this warn v.s. warning inconsistency > in usage.c, but now it's all in internal code. > > But let's not add to it by adding a warn_once(), it should be called > warning_once(). Sure. The phrase "warn once" is a valid sentence, while "warning once" is not, but I can see some benefit to having consistent naming here. If the "warning()" method was not already present so much throughout the codebase, then I would advocate that "warn()" is a better verb form. This would be similar to "die()" and even "error()" could be interpreted as a verb. However, that would be too large of a change to be worthwhile. > We're also missing an "errno" variant, which might be fine for now, > ditto variants for the other non-fatal functions (error & > die_message). That might be OK for now, but probably worth noting. Noted. >> +void warn_once(const char *warn, ...) >> +{ >> + char buf[1024]; >> + va_list params; >> + va_start(params, warn); >> + >> + if (vsnprintf(buf, sizeof(buf), warn, params) >= 0) { > > It doesn't matter for the end result, but let's compare with "< 0" like > the other vsnprintf() caller in the file. Except that we do something after this block in both cases, so the condition needs to be swapped or else duplicate code. > And how is this unlike that vsnprintf() in not needing the same error > handling vreportf() does here: > > *p = '\0'; /* vsnprintf() failed, clip at prefix */ > > Seems like either a bug, or that other code being something we should be > dropping. No, because the params are passed to warn_routine() in the section of code you cropped out: + va_start(params, warn); + warn_routine(warn, params); + va_end(params); That warn_routine does the "clip at prefix" fix. if we have a failure in vsnprintf() here, then we are skipping the "only once" check and going straight to that logic. >> + if (!strset_add(&prev_warnings, buf)) { > > More on the general API usability front: E.g. builtin/pack-objects.c > seems like it could make use of thing like this in two places. > > But the API you've added here would only be usable for 1/2, i.e. you > format and de-dup on the full warning, whereas at least 1/2 of those > callers wants to de-dup on the un-formatted string (grep for 'static int > warned'). > > Which (and I'm sounding like a broken record:) is another thing that me > wonder if the general API is premature, i.e. it's a red flag that we > have existing code that could benefit from it, if not for an arbitrary > limitation, in this case fixing the limitation would mean the churn of > either adding a new function, or a new parameter to all callers. I.e. a > "int dedup_on_args" or similar. You are advocating that since there is one example of something that doesn't fit this exact scenario, then we shouldn't move forward on something that _does_ have immediate use (and potential use in other places). This seem unnecessarily pedantic. This specific method is a good foundation for possibly extending it if there is value in doing so. >> + va_end(params); >> + return; >> + } >> + } >> + va_end(params); >> + >> + va_start(params, warn); > > I'm rusty on the varargs API (and haven't tested) but didn't we need > va_copy() if we're iterating twice, or was that just if we're passing it > to another function and using it ourselves... Well, outside of the fact that this function is tested and it works, the documentation says this about the 'params' argument (named 'ap' in the function prototype): If ap has already been passed as first argument to a previous call to va_start or va_copy, it shall be passed to va_end before calling this function. So, va_end(params) makes it safe to call va_start(params, warn) again. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 18:42 ` Derrick Stolee @ 2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason 2022-06-02 13:43 ` Derrick Stolee 2022-06-01 20:21 ` Junio C Hamano 1 sibling, 1 reply; 40+ messages in thread From: Ævar Arnfjörð Bjarmason @ 2022-06-01 19:33 UTC (permalink / raw) To: Derrick Stolee Cc: Derrick Stolee via GitGitGadget, git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On Wed, Jun 01 2022, Derrick Stolee wrote: > On 6/1/2022 8:29 AM, Ævar Arnfjörð Bjarmason wrote:> >> On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: >> >>> From: Derrick Stolee <derrickstolee@github.com> >>> >>> The previous change added a warning when valid_remote() detects >>> credentials in the URL. Since remotes are validated multiple times per >>> process, this causes multiple warnings to print. >> >> Why are we validating remotes multiple times per process? Can't we just >> do it once? >> >> Is this a case of two callers going through the whole machinery and not >> being aware of one another? >> >> Perhaps it's a pain to deal with that in this case, but it would be >> better to note why here than taking it as a given. > > We could certainly investigate this more, but it seems like a more > problematic approach than the one taken here. We could add a "is_valid" > bit to struct remote, but then could some code path modify that struct > after it was validated? I tested this a bit and I think this alternate approach is simpler, and it passes your tests: diff --git a/remote.c b/remote.c index faa2f834635..56ce2c83022 100644 --- a/remote.c +++ b/remote.c @@ -60,7 +60,7 @@ static void check_if_creds_in_url(const char *url) "<redacted>", 10); if (!strcmp("warn", value)) - warn_once(_("URL '%s' uses plaintext credentials"), redacted.buf); + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); if (!strcmp("die", value)) die(_("URL '%s' uses plaintext credentials"), redacted.buf); @@ -69,12 +69,17 @@ static void check_if_creds_in_url(const char *url) static int valid_remote(const struct remote *remote) { - for (int i = 0; i < remote->url_nr; i++) - check_if_creds_in_url(remote->url[i]); - return (!!remote->url) || (!!remote->foreign_vcs); } +static void valid_remote_at_end(const struct remote *remote) +{ + int i; + + for (i = 0; i < remote->url_nr; i++) + check_if_creds_in_url(remote->url[i]); +} + static const char *alias_url(const char *url, struct rewrites *r) { int i, j; @@ -687,6 +692,7 @@ remotes_remote_get_1(struct remote_state *remote_state, const char *name, add_url_alias(remote_state, ret, name); if (!valid_remote(ret)) return NULL; + valid_remote_at_end(ret); return ret; } I.e. we already have one spot where we get the full remote config, you were just hooking into valid_remote() which we call N times while doing that, let's just call it at the end. Aside from general de-duplication APIs that to me seems like a more sensible approach here, i.e. surely we should be getting the remote config once, let's stick such a validation loop in that place. And it seems we do, the stack is e.g.: (gdb) bt #0 warn_once (warn=0x79f1f3 "URL '%s' uses plaintext credentials") at usage.c:297 #1 0x0000000000688a98 in check_if_creds_in_url (url=0x8677a0 "https://username:password@localhost") at remote.c:63 #2 0x0000000000688858 in valid_remote_at_end (remote=0x872a40) at remote.c:80 #3 0x0000000000688397 in remotes_remote_get_1 (remote_state=0x85ca00, name=0x861f10 "origin", get_default=0x681d00 <remotes_remote_for_branch>) at remote.c:695 #4 0x0000000000681fd7 in remotes_remote_get (remote_state=0x85ca00, name=0x861f10 "origin") at remote.c:702 #5 0x0000000000682071 in remote_get (name=0x861f10 "origin") at remote.c:709 #6 0x0000000000433b05 in cmd_clone (argc=2, argv=0x7fffffffd028, prefix=0x0) at builtin/clone.c:1146 #7 0x0000000000407d6b in run_builtin (p=0x8259f8 <commands+504>, argc=3, argv=0x7fffffffd028) at git.c:466 #8 0x0000000000406802 in handle_builtin (argc=3, argv=0x7fffffffd028) at git.c:720 #9 0x0000000000407746 in run_argv (argcp=0x7fffffffcecc, argv=0x7fffffffcec0) at git.c:787 #10 0x00000000004065bb in cmd_main (argc=3, argv=0x7fffffffd028) at git.c:920 #11 0x000000000051279a in main (argc=7, argv=0x7fffffffd008) at common-main.c:56 You put the validation in a function we called N times in remotes_remote_get_1(), but if we just put it once in remotes_remote_get_1().... >>> To avoid these kinds of repeated, advisory warnings, create a new >>> warn_once() helper that behaves the same as warning(), but only after >>> formatting the output string and adding it to a strset. If that addition >>> signals that the string already exists in the strset, then do not print >>> the warning. >> >> This feels quite iffy given the low-level API & the rest of it aiming to >> be thread-safe, see 2d3c02f5db6 (die(): stop hiding errors due to >> overzealous recursion guard, 2017-06-21) for such a case. > > It makes sense to keep the low-level library as thread-safe as possible. > > Would it be enough to document this particular caller as not thread-safe? See above, but I'd think we really should consider alternatives before leaving such landmines in place. I.e. this is called by remote.c, which is common library code itself, someone implementing threads somewhere isn't going to be thinking about or reading caveats about libraries remote.c itself uses unless they're quite lucky... >>> In the case of the credentials in a URL, the existing test demonstrates >>> this per-process limitation: 'git clone' runs 'git-remote-curl' as a >>> child process, giving two messages. This is an improvement over the >>> previous six messages. >> >> If we know about this limitation and we're going to be checking the same >> URLs why not do slightly better and pass down a "don't warn please" to >> the sub-process?>> Or do we think it might warn about *different* URLs, aren't these always >> the same (i.e. we read the full config)? > > While this example of 'git clone' to 'git-remote-curl' will not use a > different URL, I can imagine other child process connections that could > expose a different URL. Having a blanket statement "don't emit these > warnings" seems unlikely to be helpful for those cases. Yes, I can imagine we might want to do that, but until we find such an API user it seems much simpler to warn in the "primary", i.e. clone/fetch & not the helper process. Unless there's cases I'm missing where the "primary" is aware of the URL and the others aren't (and even then we could just do this the other way around, no?) Also isn't such a warning behavior unnecessarily verbose, i.e. does this (I haven't checked in detail) warn about any such bad URL in config anywhere, not just the one you're actually using at the moment, or at least the one for your current remote? In that case (if we end up having trouble with this) perhaps just warning about the URL we use would be Good Enough and simpler. >> If you used advice instead of a warning you'd get a config key to pass >> for free to disable it, and that might be a better thing to do in any >> case (i.e. a better fit for this case). But we could also just check >> getenv("GIT_URL_REDACTED_WARNING") or whatever, which seems easy >> enough... > > To make the environment variable work properly, we would need to pass a > list of URLs in the variable that could seed the strset, to avoid dropping > warnings for new cases as mentioned earlier. I think a much simpler thing to do is to just set a variable in clone.c and fetch.c and have those emit this, and otherwise stay quiet. The reason you have duplication now is because clone is calling a remote helper. >>> diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh >>> index cba3553b7c4..6ae3eec9eb6 100755 >>> --- a/t/t5601-clone.sh >>> +++ b/t/t5601-clone.sh >>> @@ -75,7 +75,10 @@ test_expect_success 'clone warns or fails when using username:password' ' >>> test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && >>> ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && >>> test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && >>> - grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && >>> + grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err >warnings && >>> + # The warning is printed twice, for the two processes: >>> + # "git clone" and "git-remote-curl". >>> + test_line_count = 2 warnings && >>> test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && >>> grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err Speaking of which, we really should test this "we expect N warning(s)" for both fetch & clone, shouldn't we? Ditto push. >>> ' >> >> Hrm, between 1/2 and this I think this is a good example of a "just use >> test_cmp" caveat. >> >> I.e. reading 1/2 it's snuck past us that there's this existing caveat in >> the warning being added, i.e. that we should really warn 1 times, but >> are doing in N times, but as we use ad-hoc "grep" instead of >> test_cmp-ing the full output that's not obvious. >> >> I think this would be much more obvious as: >> >> warning="<your warning msg>" && >> cat >expect <<-EOF && >> $warning >> $warning >> EOF > > There are other warnings coming over stderr, including the "Cloning > into..." message and the resulting "fatal:" message because that URL > doesn't actually exist. I chose to decouple this test to the exact > phrasing of those messages. FWIW: grep ^warning: >warnings && test_cmp ... Would take care of that. >> But even better (and per the above, I'm not convinced about the >> direction, but leaving that aside): Here we have a choice between having >> 1/2 and 2/2 in that order and having 2/2 add a new API that has its >> first user right away, but at the cost of fixing a bug we just >> introduced in 1/2. >> >> I think even if we can't find another API user for this proposed usage.c >> addition, just adding it without a user & adding what's now 1/2 as the >> 2nd commit would be preferrable. Then we're not doing a "oops, bug fix" >> while we're at it. > > I wouldn't call this a "oops, bug fix" but instead "let's improve what was > working, but noisy." This also gives us the opportunity to see the code in > usage.c get tested immediately as it is introduced, which is an important > property to keep in mind when organizing a patch series. *nod*, just a thought. >>> +static struct strset prev_warnings = STRSET_INIT; >>> + >>> +void warn_once(const char *warn, ...) >>> +{ >> >> If we do end up keeping this (per the above I'm thinking while it's just >> this caller it should probably own this problem): >> >> I have a local change to clean up this warn v.s. warning inconsistency >> in usage.c, but now it's all in internal code. >> >> But let's not add to it by adding a warn_once(), it should be called >> warning_once(). > > Sure. The phrase "warn once" is a valid sentence, while "warning once" is > not, but I can see some benefit to having consistent naming here. > > If the "warning()" method was not already present so much throughout the > codebase, then I would advocate that "warn()" is a better verb form. This > would be similar to "die()" and even "error()" could be interpreted as a > verb. However, that would be too large of a change to be worthwhile. Yeah I'd also prefer warn() myself, but since we have warning() and warning_errno() consistency is better... >> We're also missing an "errno" variant, which might be fine for now, >> ditto variants for the other non-fatal functions (error & >> die_message). That might be OK for now, but probably worth noting. > > Noted. > >>> +void warn_once(const char *warn, ...) >>> +{ >>> + char buf[1024]; >>> + va_list params; >>> + va_start(params, warn); >>> + >>> + if (vsnprintf(buf, sizeof(buf), warn, params) >= 0) { >> >> It doesn't matter for the end result, but let's compare with "< 0" like >> the other vsnprintf() caller in the file. > > Except that we do something after this block in both cases, so the > condition needs to be swapped or else duplicate code. *nod*, just a thought while skimming it. >> And how is this unlike that vsnprintf() in not needing the same error >> handling vreportf() does here: >> >> *p = '\0'; /* vsnprintf() failed, clip at prefix */ >> >> Seems like either a bug, or that other code being something we should be >> dropping. > > No, because the params are passed to warn_routine() in the section of code > you cropped out: > > + va_start(params, warn); > + warn_routine(warn, params); > + va_end(params); > > That warn_routine does the "clip at prefix" fix. if we have a failure in > vsnprintf() here, then we are skipping the "only once" check and going > straight to that logic. Ah, makes sense. I missed that. >>> + if (!strset_add(&prev_warnings, buf)) { >> >> More on the general API usability front: E.g. builtin/pack-objects.c >> seems like it could make use of thing like this in two places. >> >> But the API you've added here would only be usable for 1/2, i.e. you >> format and de-dup on the full warning, whereas at least 1/2 of those >> callers wants to de-dup on the un-formatted string (grep for 'static int >> warned'). >> >> Which (and I'm sounding like a broken record:) is another thing that me >> wonder if the general API is premature, i.e. it's a red flag that we >> have existing code that could benefit from it, if not for an arbitrary >> limitation, in this case fixing the limitation would mean the churn of >> either adding a new function, or a new parameter to all callers. I.e. a >> "int dedup_on_args" or similar. > > You are advocating that since there is one example of something that > doesn't fit this exact scenario, then we shouldn't move forward on > something that _does_ have immediate use (and potential use in other > places). This seem unnecessarily pedantic. I didn't mean to be pedantic, sorry. My thinking was more along the lines that I've seen roughly this pattern in a few other places, and a proposed new library utility for generic use is both more convincing, and tends to have bugs shook out of it if we go the extra mile to convert existing API users. Anyway, per the above I think this one is more easily handled by its caller by just moving the check up one function call... > This specific method is a good foundation for possibly extending it if > there is value in doing so. >>> + va_end(params); >>> + return; >>> + } >>> + } >>> + va_end(params); >>> + >>> + va_start(params, warn); >> >> I'm rusty on the varargs API (and haven't tested) but didn't we need >> va_copy() if we're iterating twice, or was that just if we're passing it >> to another function and using it ourselves... > > Well, outside of the fact that this function is tested and it works, > the documentation says this about the 'params' argument (named 'ap' > in the function prototype): > > If ap has already been passed as first argument to a previous call to > va_start or va_copy, it shall be passed to va_end before calling this > function. > > So, va_end(params) makes it safe to call va_start(params, warn) again. Yes, thanks. This was just from digging around in now obviously-incorrect wetware :) ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason @ 2022-06-02 13:43 ` Derrick Stolee 0 siblings, 0 replies; 40+ messages in thread From: Derrick Stolee @ 2022-06-02 13:43 UTC (permalink / raw) To: Ævar Arnfjörð Bjarmason Cc: Derrick Stolee via GitGitGadget, git, gitster, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 6/1/2022 3:33 PM, Ævar Arnfjörð Bjarmason wrote: > > On Wed, Jun 01 2022, Derrick Stolee wrote: > >> On 6/1/2022 8:29 AM, Ævar Arnfjörð Bjarmason wrote:> >>> On Wed, Jun 01 2022, Derrick Stolee via GitGitGadget wrote: >>> >>>> From: Derrick Stolee <derrickstolee@github.com> >>>> >>>> The previous change added a warning when valid_remote() detects >>>> credentials in the URL. Since remotes are validated multiple times per >>>> process, this causes multiple warnings to print. >>> >>> Why are we validating remotes multiple times per process? Can't we just >>> do it once? >>> >>> Is this a case of two callers going through the whole machinery and not >>> being aware of one another? >>> >>> Perhaps it's a pain to deal with that in this case, but it would be >>> better to note why here than taking it as a given. >> >> We could certainly investigate this more, but it seems like a more >> problematic approach than the one taken here. We could add a "is_valid" >> bit to struct remote, but then could some code path modify that struct >> after it was validated? > > I tested this a bit and I think this alternate approach is simpler, and > it passes your tests: ... > +static void valid_remote_at_end(const struct remote *remote) > +{ > + int i; > + > + for (i = 0; i < remote->url_nr; i++) > + check_if_creds_in_url(remote->url[i]); > +} > + > static const char *alias_url(const char *url, struct rewrites *r) > { > int i, j; > @@ -687,6 +692,7 @@ remotes_remote_get_1(struct remote_state *remote_state, const char *name, > add_url_alias(remote_state, ret, name); > if (!valid_remote(ret)) > return NULL; > + valid_remote_at_end(ret); > return ret; > } > > I.e. we already have one spot where we get the full remote config, you > were just hooking into valid_remote() which we call N times while doing > that, let's just call it at the end. Thanks for finding a place where the current behavior only runs once. I agree that this is a much simpler approach and reduces this series back down to one. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 18:42 ` Derrick Stolee 2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason @ 2022-06-01 20:21 ` Junio C Hamano 2022-06-02 14:24 ` Derrick Stolee 1 sibling, 1 reply; 40+ messages in thread From: Junio C Hamano @ 2022-06-01 20:21 UTC (permalink / raw) To: Derrick Stolee Cc: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget, git, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup Derrick Stolee <derrickstolee@github.com> writes: > We could certainly investigate this more, but it seems like a more > problematic approach than the one taken here. We could add a "is_valid" > bit to struct remote, but then could some code path modify that struct > after it was validated? Two separate parser parsing the same string to produce (supposedly) equivalent parse results is a bit disturbing, and I am not sure if "is_valid" bit helps that. Adding "user" and "password" members to the struct, and retire the existing "parser" (instead it would just use the pre-parsed components stored in the struct) would. It would be a much more involved change, and it is something more than we would want to do in a regression fix patch. But this series is a new feature development, so... ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 20:21 ` Junio C Hamano @ 2022-06-02 14:24 ` Derrick Stolee 2022-06-02 17:53 ` Junio C Hamano 0 siblings, 1 reply; 40+ messages in thread From: Derrick Stolee @ 2022-06-02 14:24 UTC (permalink / raw) To: Junio C Hamano Cc: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget, git, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 6/1/2022 4:21 PM, Junio C Hamano wrote: > Derrick Stolee <derrickstolee@github.com> writes: > >> We could certainly investigate this more, but it seems like a more >> problematic approach than the one taken here. We could add a "is_valid" >> bit to struct remote, but then could some code path modify that struct >> after it was validated? > > Two separate parser parsing the same string to produce (supposedly) > equivalent parse results is a bit disturbing, and I am not sure if > "is_valid" bit helps that. > > Adding "user" and "password" members to the struct, and retire the > existing "parser" (instead it would just use the pre-parsed > components stored in the struct) would. It would be a much more > involved change, and it is something more than we would want to do > in a regression fix patch. > > But this series is a new feature development, so... Yes, you're right. I should use the output 'struct url_inf' from url_normalize() to construct the redacted URL. It has the downside that the output URL can be slightly different from the input URL, but a user should still be able to diagnose how to resolve the situation. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-02 14:24 ` Derrick Stolee @ 2022-06-02 17:53 ` Junio C Hamano 0 siblings, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-06-02 17:53 UTC (permalink / raw) To: Derrick Stolee Cc: Ævar Arnfjörð Bjarmason, Derrick Stolee via GitGitGadget, git, peff, me, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup Derrick Stolee <derrickstolee@github.com> writes: > Yes, you're right. I should use the output 'struct url_inf' from > url_normalize() to construct the redacted URL. It has the downside > that the output URL can be slightly different from the input URL, > but a user should still be able to diagnose how to resolve the > situation. Ah, the error message is based on pre-normalization which may very well be different, as that is the whole point of normalization ;-) We'd redact password part in the error message anyway, so it may not be a huge deal. ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings 2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget 2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason @ 2022-06-01 20:40 ` Junio C Hamano 1 sibling, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-06-01 20:40 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > In the case of the credentials in a URL, the existing test demonstrates > this per-process limitation: 'git clone' runs 'git-remote-curl' as a > child process, giving two messages. This is an improvement over the > previous six messages. Do we call the valid_remote() helper on the same remote many number of times? Unless the duplicates appear by such a "stupid" reason, I am not sure if this is a good idea to do this deduplication. Especially if we know we cannot do the deduplication across processes. ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v4] remote: create fetch.credentialsInUrl config 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget 2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget 2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget @ 2022-06-02 17:20 ` Derrick Stolee via GitGitGadget 2022-06-02 21:20 ` Junio C Hamano 2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget 2 siblings, 2 replies; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-06-02 17:20 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the .git/config file, this is a very insecure way of storing these credentials. Credential managers are a more secure way of storing this information. System administrators might want to prevent this kind of use by users on their machines. Create a new "fetch.credentialsInUrl" config option and teach Git to warn or die when seeing a URL with this kind of information. The warning anonymizes the sensitive information of the URL to be clear about the issue. This change currently defaults the behavior to "allow" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). An earlier version of this change injected the logic into url_normalize() in urlmatch.c. While most code paths that parse URLs eventually normalize the URL, that normalization does not happen early enough in the stack to avoid attempting connections to the URL first. By inserting a check into the remote validation, we identify the issue before making a connection. In the old code path, this was revealed by testing the new t5601-clone.sh test under --stress, resulting in an instance where the return code was 13 (SIGPIPE) instead of 128 from the die(). However, we can reuse the parsing information from url_normalize() in order to benefit from its well-worn parsing logic. We can use the struct url_info that is created in that method to replace the password with "<redacted>" in our error messages. This comes with a slight downside that the normalized URL might look slightly different from the input URL (for instance, the normalized version adds a closing slash). This should not hinder users figuring out what the problem is and being able to fix the issue. As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the explicit username:password URLs used in t5550-http-fetch-dumb.sh and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. The tests show that the proper error messages appear (or do not appear), but also count the number of error messages. When only warning, each process validates the remote URL and outputs a warning. This happens twice for clone, three times for fetch, and once for push. Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- remote: create fetch.credentialsInUrl config Users can specify credentials in their URL using the username:password@domain format. This is potentially hazardous since the URL is stored in plaintext and can also appear in trace2 logs and other places. Add a new config option that allows warnings or failures when discovering URLs with this format. The default behavior does not change in this series, although we may want to move to the warn state by default in the future. This is a modified version of the patch I submitted a while ago [1]. Based on the feedback, changing the behavior to fail by default was not a good approach. Further, the idea to stop storing the credentials in config and redirect them to a credential manager was already considered by Peff [2] but not merged. This patch does what should be the simplest thing we can do: create a config option that will cause the user to get a warning or a failure, depending on its value. The default is to ignore the setting, identical to the current behavior. We can talk about changing this default to "warn" in the future, but it would be safest to release with ignore as the default until we are sure that we are not going to start warning on false positives. This patch would be sufficient for the interested internal parties that want to prevent users from storing credentials this way. System administrators can modify system-level Git config into "die" mode to prevent this behavior. [1] https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com Reject passwords in URLs (April 2021). [2] https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/ Re: Git ransom campaign incident report - May 2019 Updates in v4 ============= * The warn_once() patch is dropped in favor of using a different location for the check (remotes_remote_get_1() instead of valid_remote()). * The parsing logic is removed in favor of using the output url_info from url_normalize(). * Tests for 'fetch' and 'push' are added. * This requires updating the topic to be on a more-recent version of 'master' because some change since the previous base caused 'git push' to output the warning only once, not twice. Updates in v3 ============= * Because of some flaky behavior around SIGPIPE, the URL check needed to move to be earlier in the command. * For this reason, I moved the cred check into remote.c's valid_remote() check. This changed the previous BUG() statements into early returns. * I repeated the check with the test suite to see if this parsing fails on any existing cases, but it is worth double-checking the parsing rules. * Documentation is more consistent about using placeholders. * A test for the "allow" case is now included. * A new patch is added that creates the warn_once() helper. This reduces multiple advisory warnings with the same text from being written by the same process. Updates in v2 ============= * Documentation is slightly expanded to include the fact that Git stores the given URL as plaintext in its config. * The new method has a new documentation comment that details the necessary preconditions. * "ignore" is now "allow" * Additional checks on colon_ptr are added. * Use strbuf_splice() instead of custom string-walking logic. * Use "" instead of asterisks. * Config value checks are no longer case sensitive. Thanks, -Stolee Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1237%2Fderrickstolee%2Fcreds-in-url-v4 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1237/derrickstolee/creds-in-url-v4 Pull-Request: https://github.com/gitgitgadget/git/pull/1237 Range-diff vs v3: 1: 083a918e9b1 ! 1: 5fb038402d6 remote: create fetch.credentialsInUrl config @@ Commit message instance where the return code was 13 (SIGPIPE) instead of 128 from the die(). - Since we are not deep within url_normalize(), we need to do our own - parsing to detect if there is a "username:password@domain" section. We - begin by detecting the first '@' symbol in the URL. We then detect if - there is a scheme such as "https://" by finding the first slash. If that - slash does not exist or is after the first '@' symbol, then we consider - the scheme to be complete before the URL. Finally, we look for a colon - between the scheme and the '@' symbol, indicating a "username:password" - string. Replace the password with "<redacted>" when writing the error - message. + However, we can reuse the parsing information from url_normalize() in + order to benefit from its well-worn parsing logic. We can use the struct + url_info that is created in that method to replace the password with + "<redacted>" in our error messages. This comes with a slight downside + that the normalized URL might look slightly different from the input URL + (for instance, the normalized version adds a closing slash). This should + not hinder users figuring out what the problem is and being able to fix + the issue. As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" @@ Commit message t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. + The tests show that the proper error messages appear (or do not + appear), but also count the number of error messages. When only warning, + each process validates the remote URL and outputs a warning. This + happens twice for clone, three times for fetch, and once for push. + Signed-off-by: Derrick Stolee <derrickstolee@github.com> ## Documentation/config/fetch.txt ## @@ Documentation/config/fetch.txt: fetch.writeCommitGraph:: + with a plaintext credential. ## remote.c ## -@@ remote.c: struct counted_string { - const char *s; - }; +@@ + #include "cache.h" + #include "config.h" + #include "remote.h" ++#include "urlmatch.h" + #include "refs.h" + #include "refspec.h" + #include "object-store.h" +@@ remote.c: const char *remote_ref_for_branch(struct branch *branch, int for_push) + return NULL; + } -+/* -+ * Check if the given URL is of the following form: -+ * -+ * scheme://username:password@domain[:port][/path] -+ * -+ * Specifically, see if the ":password@" section of the URL appears. -+ * -+ * The fetch.credentialsInUrl config indicates what to do on such a URL, -+ * either ignoring, warning, or erroring. The latter two modes write a -+ * redacted URL to stderr. -+ */ -+static void check_if_creds_in_url(const char *url) ++static void validate_remote_url(struct remote *remote) +{ -+ const char *value, *scheme_ptr, *colon_ptr, *at_ptr; ++ int i; ++ const char *value; + struct strbuf redacted = STRBUF_INIT; + -+ /* "allow" is the default behavior. */ + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || + !strcmp("allow", value)) + return; + -+ if (!(at_ptr = strchr(url, '@'))) -+ return; ++ for (i = 0; i < remote->url_nr; i++) { ++ struct url_info url_info = { NULL }; ++ url_normalize(remote->url[i], &url_info); + -+ if (!(scheme_ptr = strchr(url, '/')) || -+ scheme_ptr > at_ptr) -+ scheme_ptr = url; ++ if (!url_info.passwd_len) ++ goto loop_cleanup; + -+ if (!(colon_ptr = strchr(scheme_ptr, ':'))) -+ return; ++ strbuf_add(&redacted, url_info.url, url_info.passwd_off); ++ strbuf_addstr(&redacted, "<redacted>"); ++ strbuf_addstr(&redacted, url_info.url + url_info.passwd_off + url_info.passwd_len); + -+ /* Include the colon when creating the redacted URL. */ -+ colon_ptr++; -+ strbuf_addstr(&redacted, url); -+ strbuf_splice(&redacted, colon_ptr - url, at_ptr - colon_ptr, -+ "<redacted>", 10); ++ if (!strcmp("warn", value)) ++ warning(_("URL '%s' uses plaintext credentials"), redacted.buf); ++ if (!strcmp("die", value)) ++ die(_("URL '%s' uses plaintext credentials"), redacted.buf); + -+ if (!strcmp("warn", value)) -+ warning(_("URL '%s' uses plaintext credentials"), redacted.buf); -+ if (!strcmp("die", value)) -+ die(_("URL '%s' uses plaintext credentials"), redacted.buf); ++loop_cleanup: ++ free(url_info.url); ++ } + + strbuf_release(&redacted); +} + - static int valid_remote(const struct remote *remote) - { -+ for (int i = 0; i < remote->url_nr; i++) -+ check_if_creds_in_url(remote->url[i]); + static struct remote * + remotes_remote_get_1(struct remote_state *remote_state, const char *name, + const char *(*get_default)(struct remote_state *, +@@ remote.c: remotes_remote_get_1(struct remote_state *remote_state, const char *name, + add_url_alias(remote_state, ret, name); + if (!valid_remote(ret)) + return NULL; ++ ++ validate_remote_url(ret); + - return (!!remote->url) || (!!remote->foreign_vcs); + return ret; } + ## t/t5516-fetch-push.sh ## +@@ t/t5516-fetch-push.sh: This test checks the following functionality: + * --porcelain output format + * hiderefs + * reflogs ++* URL validation + ' + + GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main +@@ t/t5516-fetch-push.sh: test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t + test_dir_is_empty testrepo/.git/objects/pack + ' + ++test_expect_success 'fetch warns or fails when using username:password' ' ++ message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && ++ test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && ++ ! grep "$message" err && ++ ++ test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && ++ grep "warning: $message" err >warnings && ++ test_line_count = 3 warnings && ++ ++ test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && ++ grep "fatal: $message" err >warnings && ++ test_line_count = 1 warnings ++' ++ ++ ++test_expect_success 'push warns or fails when using username:password' ' ++ message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && ++ test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err && ++ ! grep "$message" err && ++ ++ test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err && ++ grep "warning: $message" err >warnings && ++ test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err && ++ grep "fatal: $message" err >warnings && ++ test_line_count = 1 warnings ++' ++ + test_done + ## t/t5601-clone.sh ## @@ t/t5601-clone.sh: test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' ++ message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && -+ ! grep "URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && -+ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt1 2>err && -+ grep "warning: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err && -+ test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt2 2>err && -+ grep "fatal: URL '\''https://username:<redacted>@localhost'\'' uses plaintext credentials" err ++ ! grep "$message" err && ++ ++ test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && ++ grep "warning: $message" err >warnings && ++ test_line_count = 2 warnings && ++ ++ test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && ++ grep "fatal: $message" err >warnings && ++ test_line_count = 1 warnings +' + +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' 2: 8e29ac807c6 < -: ----------- usage: add warn_once() helper for repeated warnings Documentation/config/fetch.txt | 14 +++++++++++++ remote.c | 37 ++++++++++++++++++++++++++++++++++ t/t5516-fetch-push.sh | 28 +++++++++++++++++++++++++ t/t5601-clone.sh | 19 +++++++++++++++++ 4 files changed, 98 insertions(+) diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index cd65d236b43..0db7fe85bb8 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,3 +96,17 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `<protocol>://<user>:<password>@<domain>/<path>`. Using such URLs + is not recommended as it exposes the password in multiple ways, + including Git storing the URL as plaintext in the repository config. + The `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. diff --git a/remote.c b/remote.c index 930fdc9c2f6..1f4a95e9840 100644 --- a/remote.c +++ b/remote.c @@ -1,6 +1,7 @@ #include "cache.h" #include "config.h" #include "remote.h" +#include "urlmatch.h" #include "refs.h" #include "refspec.h" #include "object-store.h" @@ -614,6 +615,39 @@ const char *remote_ref_for_branch(struct branch *branch, int for_push) return NULL; } +static void validate_remote_url(struct remote *remote) +{ + int i; + const char *value; + struct strbuf redacted = STRBUF_INIT; + + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || + !strcmp("allow", value)) + return; + + for (i = 0; i < remote->url_nr; i++) { + struct url_info url_info = { NULL }; + url_normalize(remote->url[i], &url_info); + + if (!url_info.passwd_len) + goto loop_cleanup; + + strbuf_add(&redacted, url_info.url, url_info.passwd_off); + strbuf_addstr(&redacted, "<redacted>"); + strbuf_addstr(&redacted, url_info.url + url_info.passwd_off + url_info.passwd_len); + + if (!strcmp("warn", value)) + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); + if (!strcmp("die", value)) + die(_("URL '%s' uses plaintext credentials"), redacted.buf); + +loop_cleanup: + free(url_info.url); + } + + strbuf_release(&redacted); +} + static struct remote * remotes_remote_get_1(struct remote_state *remote_state, const char *name, const char *(*get_default)(struct remote_state *, @@ -639,6 +673,9 @@ remotes_remote_get_1(struct remote_state *remote_state, const char *name, add_url_alias(remote_state, ret, name); if (!valid_remote(ret)) return NULL; + + validate_remote_url(ret); + return ret; } diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh index 4dfb080433e..4497617db7f 100755 --- a/t/t5516-fetch-push.sh +++ b/t/t5516-fetch-push.sh @@ -12,6 +12,7 @@ This test checks the following functionality: * --porcelain output format * hiderefs * reflogs +* URL validation ' GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main @@ -1813,4 +1814,31 @@ test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t test_dir_is_empty testrepo/.git/objects/pack ' +test_expect_success 'fetch warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && + grep "warning: $message" err >warnings && + test_line_count = 3 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + + +test_expect_success 'push warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err && + grep "warning: $message" err >warnings && + test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + test_done diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 4a61f2c901e..d03c19f5e07 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -71,6 +71,25 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && + grep "warning: $message" err >warnings && + test_line_count = 2 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && + ! grep "uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' test_create_repo r0 && base-commit: 2668e3608e47494f2f10ef2b6e69f08a84816bcb -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v4] remote: create fetch.credentialsInUrl config 2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget @ 2022-06-02 21:20 ` Junio C Hamano 2022-06-03 12:54 ` Derrick Stolee 2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget 1 sibling, 1 reply; 40+ messages in thread From: Junio C Hamano @ 2022-06-02 21:20 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > +static void validate_remote_url(struct remote *remote) > +{ > + int i; > + const char *value; > + struct strbuf redacted = STRBUF_INIT; > + > + if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || > + !strcmp("allow", value)) > + return; > + > + for (i = 0; i < remote->url_nr; i++) { > + struct url_info url_info = { NULL }; The initializer should be "= { 0 }" not "= { NULL }". In other words, we shouldn't have to care if the first member in the struct happens to be of a pointer type, and we shouldn't have to change between 0 and NULL whenever the type of the first member changes. Even though it frowns upon assigning 0 to a pointer variable or a pointer member in a struct, sparse knows that such an initializer is OK. cf. https://lore.kernel.org/git/YVJSwuqjolz28+mG@coredump.intra.peff.net/ Please have a blank line after the variable decl. > + url_normalize(remote->url[i], &url_info); url_normalize() returns "char *", and you get NULL when parsing fails; out_info->err may also help when it happens, but I think we will call url_normalize() again later in the existing caller, and it will give whatever error message we need to give appropriately, so it is OK to silently jump to the loop_cleanup label from here. > + if (!url_info.passwd_len) > + goto loop_cleanup; I wonder what should happen to "https://username:@localhost" (i.e. an empty string is used as a password). I am fine if we allow it as an obvious "this is like an anonymous ftp; anybody can connect" use case, but I do not know how useful it would be in practice. I am also fine if certain authentication scheme needs username and password, the latter of which is never used because the "real thing" like Kerberos kicks in when the real authentication happens but becasue something needs to be there to "trigger" the authentication, and that is why we deliberately allow an empty string case unwarned. But if this is a deliberate thing, we'd need to caution future developers about it. I do not think passwd_ofs can ever be 0 if we have an embedded password in the URL, so checking it may be a better approach, if we care about an empty-string case. I can be persuaded either way. > + > + strbuf_add(&redacted, url_info.url, url_info.passwd_off); > + strbuf_addstr(&redacted, "<redacted>"); > + strbuf_addstr(&redacted, url_info.url + url_info.passwd_off + url_info.passwd_len); > + > + if (!strcmp("warn", value)) > + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); > + if (!strcmp("die", value)) > + die(_("URL '%s' uses plaintext credentials"), redacted.buf); We obviously could introduce another local variable that is set based on the "value" before we enter the loop to "optimize", but this is an error codepath, so I do not mind repeated strcmp() on the constant value in the loop. I do have to wonder what we should do when value is none of the three we know about. Right now, it makes the function an expensive noop, so upfront at the beginning of the function, we might need something like int to_warn_not_die; if (git_config_get_string_tmp(...")) return; if (!strcmp("warn", value)) to_warn_not_die = 1; else if (!strcmp("die", value)) to_warn_not_die = 0; else return; anyway, in which case we would also do if (to_warn_not_die) warning(...); else die(...); in the loop, perhaps? I dunno. I wonder if die_message() may want to report all the offending URL for a given remote (with a concluding die() after the loop). I am OK with dying at the first offence, though. In the worst case, the end user experience would be: $ git fetch there die() about the first URL for the nickname $ edit .git/config $ git fetch there die() about the second URL for the nickname The user will learn after getting the same error message twice and scan through the other URLs when editing .git/config for the second time to fix the second URL. If I were writing this patch, I would probably play lazy and die on the first offender. > +test_expect_success 'fetch warns or fails when using username:password' ' > + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && > + test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && > + ! grep "$message" err && > + > + test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && > + grep "warning: $message" err >warnings && > + test_line_count = 3 warnings && > + > + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && > + grep "fatal: $message" err >warnings && > + test_line_count = 1 warnings Reusing warnings file for die messages is probably OK ;-) An extra test with an empty string as a password would have caught the differences between using passwd_off and passwd_len to detect the presence of a password here. Taking all together, I'll queue the following on top as a separate fix-up patch, but I may well be giving (some) bad pieces of advice, so I will wait for others to comment. Thanks. remote.c | 26 ++++++++++++++++++-------- t/t5516-fetch-push.sh | 4 ++++ t/t5601-clone.sh | 4 ++++ 3 files changed, 26 insertions(+), 8 deletions(-) diff --git c/remote.c w/remote.c index 59b6839445..2cdc064fa8 100644 --- c/remote.c +++ w/remote.c @@ -619,25 +619,35 @@ static void validate_remote_url(struct remote *remote) int i; const char *value; struct strbuf redacted = STRBUF_INIT; + int warn_not_die; - if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || - !strcmp("allow", value)) + if (git_config_get_string_tmp("fetch.credentialsinurl", &value)) return; + if (!strcmp("warn", value)) + warn_not_die = 1; + else if (!strcmp("die", value)) + warn_not_die = 0; + else if (!strcmp("allow", value)) + return; + else + die(_("unrecognized value fetch.credentialsInURL: '%s'"), value); + for (i = 0; i < remote->url_nr; i++) { - struct url_info url_info = { NULL }; - url_normalize(remote->url[i], &url_info); + struct url_info url_info = { 0 }; - if (!url_info.passwd_len) + if (!url_normalize(remote->url[i], &url_info) || + !url_info.passwd_off) goto loop_cleanup; strbuf_add(&redacted, url_info.url, url_info.passwd_off); strbuf_addstr(&redacted, "<redacted>"); - strbuf_addstr(&redacted, url_info.url + url_info.passwd_off + url_info.passwd_len); + strbuf_addstr(&redacted, + url_info.url + url_info.passwd_off + url_info.passwd_len); - if (!strcmp("warn", value)) + if (warn_not_die) warning(_("URL '%s' uses plaintext credentials"), redacted.buf); - if (!strcmp("die", value)) + else die(_("URL '%s' uses plaintext credentials"), redacted.buf); loop_cleanup: diff --git c/t/t5516-fetch-push.sh w/t/t5516-fetch-push.sh index afb9236bee..a67acc3263 100755 --- c/t/t5516-fetch-push.sh +++ w/t/t5516-fetch-push.sh @@ -1821,6 +1821,10 @@ test_expect_success 'fetch warns or fails when using username:password' ' test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && grep "fatal: $message" err >warnings && + test_line_count = 1 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err && + grep "fatal: $message" err >warnings && test_line_count = 1 warnings ' diff --git c/t/t5601-clone.sh w/t/t5601-clone.sh index ddc4cc7ec2..cf0a3ef3f4 100755 --- c/t/t5601-clone.sh +++ w/t/t5601-clone.sh @@ -82,6 +82,10 @@ test_expect_success 'clone warns or fails when using username:password' ' test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && grep "fatal: $message" err >warnings && + test_line_count = 1 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && + grep "fatal: $message" err >warnings && test_line_count = 1 warnings ' ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v4] remote: create fetch.credentialsInUrl config 2022-06-02 21:20 ` Junio C Hamano @ 2022-06-03 12:54 ` Derrick Stolee 2022-06-06 15:37 ` Junio C Hamano 0 siblings, 1 reply; 40+ messages in thread From: Derrick Stolee @ 2022-06-03 12:54 UTC (permalink / raw) To: Junio C Hamano, Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup On 6/2/2022 5:20 PM, Junio C Hamano wrote: ... > Taking all together, I'll queue the following on top as a separate > fix-up patch, but I may well be giving (some) bad pieces of advice, > so I will wait for others to comment. I cut all of your commentary because it was universally good and the fixup you provided does a great job of solving those issues. Please give yourself co-authorship on the squashed commit. Thanks, -Stolee ^ permalink raw reply [flat|nested] 40+ messages in thread
* Re: [PATCH v4] remote: create fetch.credentialsInUrl config 2022-06-03 12:54 ` Derrick Stolee @ 2022-06-06 15:37 ` Junio C Hamano 0 siblings, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-06-06 15:37 UTC (permalink / raw) To: Derrick Stolee Cc: Derrick Stolee via GitGitGadget, git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup Derrick Stolee <derrickstolee@github.com> writes: > On 6/2/2022 5:20 PM, Junio C Hamano wrote: > ... >> Taking all together, I'll queue the following on top as a separate >> fix-up patch, but I may well be giving (some) bad pieces of advice, >> so I will wait for others to comment. > > I cut all of your commentary because it was universally good and > the fixup you provided does a great job of solving those issues. > > Please give yourself co-authorship on the squashed commit. Heh, that's at most helped-by; a small bugfix in the logic (zero-length) and all others are minor clean-ups. Thanks. ^ permalink raw reply [flat|nested] 40+ messages in thread
* [PATCH v5] remote: create fetch.credentialsInUrl config 2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2022-06-02 21:20 ` Junio C Hamano @ 2022-06-06 14:36 ` Derrick Stolee via GitGitGadget 2022-06-06 16:34 ` Junio C Hamano 1 sibling, 1 reply; 40+ messages in thread From: Derrick Stolee via GitGitGadget @ 2022-06-06 14:36 UTC (permalink / raw) To: git Cc: gitster, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee, Derrick Stolee From: Derrick Stolee <derrickstolee@github.com> Users sometimes provide a "username:password" combination in their plaintext URLs. Since Git stores these URLs in plaintext in the .git/config file, this is a very insecure way of storing these credentials. Credential managers are a more secure way of storing this information. System administrators might want to prevent this kind of use by users on their machines. Create a new "fetch.credentialsInUrl" config option and teach Git to warn or die when seeing a URL with this kind of information. The warning anonymizes the sensitive information of the URL to be clear about the issue. This change currently defaults the behavior to "allow" which does nothing with these URLs. We can consider changing this behavior to "warn" by default if we wish. At that time, we may want to add some advice about setting fetch.credentialsInUrl=ignore for users who still want to follow this pattern (and not receive the warning). An earlier version of this change injected the logic into url_normalize() in urlmatch.c. While most code paths that parse URLs eventually normalize the URL, that normalization does not happen early enough in the stack to avoid attempting connections to the URL first. By inserting a check into the remote validation, we identify the issue before making a connection. In the old code path, this was revealed by testing the new t5601-clone.sh test under --stress, resulting in an instance where the return code was 13 (SIGPIPE) instead of 128 from the die(). However, we can reuse the parsing information from url_normalize() in order to benefit from its well-worn parsing logic. We can use the struct url_info that is created in that method to replace the password with "<redacted>" in our error messages. This comes with a slight downside that the normalized URL might look slightly different from the input URL (for instance, the normalized version adds a closing slash). This should not hinder users figuring out what the problem is and being able to fix the issue. As an attempt to ensure the parsing logic did not catch any unintentional cases, I modified this change locally to to use the "die" option by default. Running the test suite succeeds except for the explicit username:password URLs used in t5550-http-fetch-dumb.sh and t5541-http-push-smart.sh. This means that all other tested URLs did not trigger this logic. The tests show that the proper error messages appear (or do not appear), but also count the number of error messages. When only warning, each process validates the remote URL and outputs a warning. This happens twice for clone, three times for fetch, and once for push. Co-authored-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Derrick Stolee <derrickstolee@github.com> --- remote: create fetch.credentialsInUrl config Users can specify credentials in their URL using the username:password@domain format. This is potentially hazardous since the URL is stored in plaintext and can also appear in trace2 logs and other places. Add a new config option that allows warnings or failures when discovering URLs with this format. The default behavior does not change in this series, although we may want to move to the warn state by default in the future. This is a modified version of the patch I submitted a while ago [1]. Based on the feedback, changing the behavior to fail by default was not a good approach. Further, the idea to stop storing the credentials in config and redirect them to a credential manager was already considered by Peff [2] but not merged. This patch does what should be the simplest thing we can do: create a config option that will cause the user to get a warning or a failure, depending on its value. The default is to ignore the setting, identical to the current behavior. We can talk about changing this default to "warn" in the future, but it would be safest to release with ignore as the default until we are sure that we are not going to start warning on false positives. This patch would be sufficient for the interested internal parties that want to prevent users from storing credentials this way. System administrators can modify system-level Git config into "die" mode to prevent this behavior. [1] https://lore.kernel.org/git/pull.945.git.1619807844627.gitgitgadget@gmail.com Reject passwords in URLs (April 2021). [2] https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/ Re: Git ransom campaign incident report - May 2019 Updates in v5 ============= * Squashed in Junio's recommended changes. * Noticed that the redacted strbuf wasn't reset between loop iterations, which only matters if there are multiple URLs for the remote. Updates in v4 ============= * The warn_once() patch is dropped in favor of using a different location for the check (remotes_remote_get_1() instead of valid_remote()). * The parsing logic is removed in favor of using the output url_info from url_normalize(). * Tests for 'fetch' and 'push' are added. * This requires updating the topic to be on a more-recent version of 'master' because some change since the previous base caused 'git push' to output the warning only once, not twice. Updates in v3 ============= * Because of some flaky behavior around SIGPIPE, the URL check needed to move to be earlier in the command. * For this reason, I moved the cred check into remote.c's valid_remote() check. This changed the previous BUG() statements into early returns. * I repeated the check with the test suite to see if this parsing fails on any existing cases, but it is worth double-checking the parsing rules. * Documentation is more consistent about using placeholders. * A test for the "allow" case is now included. * A new patch is added that creates the warn_once() helper. This reduces multiple advisory warnings with the same text from being written by the same process. Updates in v2 ============= * Documentation is slightly expanded to include the fact that Git stores the given URL as plaintext in its config. * The new method has a new documentation comment that details the necessary preconditions. * "ignore" is now "allow" * Additional checks on colon_ptr are added. * Use strbuf_splice() instead of custom string-walking logic. * Use "" instead of asterisks. * Config value checks are no longer case sensitive. Thanks, -Stolee Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1237%2Fderrickstolee%2Fcreds-in-url-v5 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1237/derrickstolee/creds-in-url-v5 Pull-Request: https://github.com/gitgitgadget/git/pull/1237 Range-diff vs v4: 1: 5fb038402d6 ! 1: b744a9887e5 remote: create fetch.credentialsInUrl config @@ Commit message each process validates the remote URL and outputs a warning. This happens twice for clone, three times for fetch, and once for push. + Co-authored-by: Junio C Hamano <gitster@pobox.com> + Signed-off-by: Junio C Hamano <gitster@pobox.com> Signed-off-by: Derrick Stolee <derrickstolee@github.com> ## Documentation/config/fetch.txt ## @@ remote.c: const char *remote_ref_for_branch(struct branch *branch, int for_push) + int i; + const char *value; + struct strbuf redacted = STRBUF_INIT; ++ int warn_not_die; + -+ if (git_config_get_string_tmp("fetch.credentialsinurl", &value) || -+ !strcmp("allow", value)) ++ if (git_config_get_string_tmp("fetch.credentialsinurl", &value)) + return; + ++ if (!strcmp("warn", value)) ++ warn_not_die = 1; ++ else if (!strcmp("die", value)) ++ warn_not_die = 0; ++ else if (!strcmp("allow", value)) ++ return; ++ else ++ die(_("unrecognized value fetch.credentialsInURL: '%s'"), value); ++ + for (i = 0; i < remote->url_nr; i++) { -+ struct url_info url_info = { NULL }; -+ url_normalize(remote->url[i], &url_info); ++ struct url_info url_info = { 0 }; + -+ if (!url_info.passwd_len) ++ if (!url_normalize(remote->url[i], &url_info) || ++ !url_info.passwd_off) + goto loop_cleanup; + ++ strbuf_reset(&redacted); + strbuf_add(&redacted, url_info.url, url_info.passwd_off); + strbuf_addstr(&redacted, "<redacted>"); -+ strbuf_addstr(&redacted, url_info.url + url_info.passwd_off + url_info.passwd_len); ++ strbuf_addstr(&redacted, ++ url_info.url + url_info.passwd_off + url_info.passwd_len); + -+ if (!strcmp("warn", value)) ++ if (warn_not_die) + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); -+ if (!strcmp("die", value)) ++ else + die(_("URL '%s' uses plaintext credentials"), redacted.buf); + +loop_cleanup: @@ t/t5516-fetch-push.sh: test_expect_success 'refuse to push a hidden ref, and mak + + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && + grep "fatal: $message" err >warnings && ++ test_line_count = 1 warnings && ++ ++ test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err && ++ grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + @@ t/t5601-clone.sh: test_expect_success 'clone respects GIT_WORK_TREE' ' + + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && + grep "fatal: $message" err >warnings && ++ test_line_count = 1 warnings && ++ ++ test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && ++ grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + Documentation/config/fetch.txt | 14 ++++++++++ remote.c | 48 ++++++++++++++++++++++++++++++++++ t/t5516-fetch-push.sh | 32 +++++++++++++++++++++++ t/t5601-clone.sh | 23 ++++++++++++++++ 4 files changed, 117 insertions(+) diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index cd65d236b43..0db7fe85bb8 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,3 +96,17 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. + +fetch.credentialsInUrl:: + A URL can contain plaintext credentials in the form + `<protocol>://<user>:<password>@<domain>/<path>`. Using such URLs + is not recommended as it exposes the password in multiple ways, + including Git storing the URL as plaintext in the repository config. + The `fetch.credentialsInUrl` option provides instruction for how Git + should react to seeing such a URL, with these values: ++ +* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. diff --git a/remote.c b/remote.c index 930fdc9c2f6..2b6a8b3df7d 100644 --- a/remote.c +++ b/remote.c @@ -1,6 +1,7 @@ #include "cache.h" #include "config.h" #include "remote.h" +#include "urlmatch.h" #include "refs.h" #include "refspec.h" #include "object-store.h" @@ -614,6 +615,50 @@ const char *remote_ref_for_branch(struct branch *branch, int for_push) return NULL; } +static void validate_remote_url(struct remote *remote) +{ + int i; + const char *value; + struct strbuf redacted = STRBUF_INIT; + int warn_not_die; + + if (git_config_get_string_tmp("fetch.credentialsinurl", &value)) + return; + + if (!strcmp("warn", value)) + warn_not_die = 1; + else if (!strcmp("die", value)) + warn_not_die = 0; + else if (!strcmp("allow", value)) + return; + else + die(_("unrecognized value fetch.credentialsInURL: '%s'"), value); + + for (i = 0; i < remote->url_nr; i++) { + struct url_info url_info = { 0 }; + + if (!url_normalize(remote->url[i], &url_info) || + !url_info.passwd_off) + goto loop_cleanup; + + strbuf_reset(&redacted); + strbuf_add(&redacted, url_info.url, url_info.passwd_off); + strbuf_addstr(&redacted, "<redacted>"); + strbuf_addstr(&redacted, + url_info.url + url_info.passwd_off + url_info.passwd_len); + + if (warn_not_die) + warning(_("URL '%s' uses plaintext credentials"), redacted.buf); + else + die(_("URL '%s' uses plaintext credentials"), redacted.buf); + +loop_cleanup: + free(url_info.url); + } + + strbuf_release(&redacted); +} + static struct remote * remotes_remote_get_1(struct remote_state *remote_state, const char *name, const char *(*get_default)(struct remote_state *, @@ -639,6 +684,9 @@ remotes_remote_get_1(struct remote_state *remote_state, const char *name, add_url_alias(remote_state, ret, name); if (!valid_remote(ret)) return NULL; + + validate_remote_url(ret); + return ret; } diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh index 4dfb080433e..dc6cb3cbf5d 100755 --- a/t/t5516-fetch-push.sh +++ b/t/t5516-fetch-push.sh @@ -12,6 +12,7 @@ This test checks the following functionality: * --porcelain output format * hiderefs * reflogs +* URL validation ' GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main @@ -1813,4 +1814,35 @@ test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t test_dir_is_empty testrepo/.git/objects/pack ' +test_expect_success 'fetch warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && + grep "warning: $message" err >warnings && + test_line_count = 3 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + + +test_expect_success 'push warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err && + grep "warning: $message" err >warnings && + test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + test_done diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index 4a61f2c901e..d2f046b4b92 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -71,6 +71,29 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' ' +test_expect_success 'clone warns or fails when using username:password' ' + message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && + test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && + ! grep "$message" err && + + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && + grep "warning: $message" err >warnings && + test_line_count = 2 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings && + + test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && + grep "fatal: $message" err >warnings && + test_line_count = 1 warnings +' + +test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' + test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && + ! grep "uses plaintext credentials" err +' + test_expect_success 'clone from hooks' ' test_create_repo r0 && base-commit: 2668e3608e47494f2f10ef2b6e69f08a84816bcb -- gitgitgadget ^ permalink raw reply related [flat|nested] 40+ messages in thread
* Re: [PATCH v5] remote: create fetch.credentialsInUrl config 2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget @ 2022-06-06 16:34 ` Junio C Hamano 0 siblings, 0 replies; 40+ messages in thread From: Junio C Hamano @ 2022-06-06 16:34 UTC (permalink / raw) To: Derrick Stolee via GitGitGadget Cc: git, peff, me, avarab, christian.couder, johannes.schindelin, jrnieder, brian m. carlson, Robert Coup, Derrick Stolee "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes: > * Noticed that the redacted strbuf wasn't reset between loop > iterations, which only matters if there are multiple URLs for the > remote. Thanks, I missed that. Will queue. ^ permalink raw reply [flat|nested] 40+ messages in thread
end of thread, other threads:[~2022-06-06 16:35 UTC | newest] Thread overview: 40+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2022-05-23 19:06 ` Junio C Hamano 2022-05-23 20:31 ` Derrick Stolee 2022-05-23 21:14 ` Junio C Hamano 2022-05-24 11:46 ` Johannes Schindelin 2022-05-24 20:14 ` Derrick Stolee 2022-05-23 20:37 ` Junio C Hamano 2022-05-24 11:51 ` Johannes Schindelin 2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason 2022-05-24 13:50 ` Derrick Stolee 2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason 2022-05-25 14:03 ` Derrick Stolee 2022-05-24 11:42 ` Johannes Schindelin 2022-05-24 20:16 ` Derrick Stolee 2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget 2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason 2022-05-27 14:43 ` Derrick Stolee 2022-05-27 18:09 ` Junio C Hamano 2022-05-27 18:40 ` Junio C Hamano 2022-05-30 0:16 ` Junio C Hamano 2022-05-31 13:32 ` Derrick Stolee 2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget 2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget 2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason 2022-06-02 13:38 ` Derrick Stolee 2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget 2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason 2022-06-01 18:42 ` Derrick Stolee 2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason 2022-06-02 13:43 ` Derrick Stolee 2022-06-01 20:21 ` Junio C Hamano 2022-06-02 14:24 ` Derrick Stolee 2022-06-02 17:53 ` Junio C Hamano 2022-06-01 20:40 ` Junio C Hamano 2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget 2022-06-02 21:20 ` Junio C Hamano 2022-06-03 12:54 ` Derrick Stolee 2022-06-06 15:37 ` Junio C Hamano 2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget 2022-06-06 16:34 ` Junio C Hamano
Code repositories for project(s) associated with this public inbox https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).