Skip to content

fix: do not inject GIT_USERNAME and GIT_PASSWORD into git clone URL#141

Merged
johnstcn merged 5 commits intomainfrom
cj/git-config-dont-leak-creds
Apr 25, 2024
Merged

fix: do not inject GIT_USERNAME and GIT_PASSWORD into git clone URL#141
johnstcn merged 5 commits intomainfrom
cj/git-config-dont-leak-creds

Conversation

@johnstcn
Copy link
Member

@johnstcn johnstcn commented Apr 24, 2024
edited
Loading

Fixes #126

We had been writing the GIT_USERNAME and GIT_PASSWORD into the git auth URL as well as setting basic HTTP auth credentials.
This causes GIT_USERNAME and GIT_PASSWORD to be present in the .git/config of the clond repo, which is not desirable.
This PR removes that behaviour and modifies existing unit tests to assert that the git clone URL is not modified from what the user passes in.

The previous behaviour can be preserved by explicitly setting basic auth in the git clone URL, if required.

@johnstcn johnstcn self-assigned this Apr 24, 2024
johnstcn
johnstcn commented Apr 24, 2024
View reviewed changes
integration/integration_test.go
return srv.URL
}

func checkBasicAuth(username, password string) func(http.Handler) http.Handler {
Copy link
Member Author

@johnstcn johnstcn Apr 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review: moved to gittest

Copy link
Member

@mtojek mtojek Apr 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it intended to be used anywhere else in envbuilder? I'm considering moving it to integration/gittest.go

Ok, I found the place. Speaking of consistency with coder/coder that should land in testutil.

Copy link
Member Author

@johnstcn johnstcn Apr 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do in a follow-up PR 👍

git_test.go

t.Run("Clones", func(t *testing.T) {
t.Parallel()
for _, tc := range []struct {
Copy link
Member Author

@johnstcn johnstcn Apr 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review: trying to cover all cases outlined here:

https://github.com/coder/envbuilder?tab=readme-ov-file#git-authentication

@johnstcn johnstcn marked this pull request as ready for review April 24, 2024 16:49
@johnstcn johnstcn changed the title fix: do not inject git credentials into git clone URL fix: do not inject GIT_USERNAME and GIT_PASSWORD into git clone URL Apr 24, 2024
johnstcn
johnstcn commented Apr 24, 2024
View reviewed changes
dannykopping
dannykopping reviewed Apr 25, 2024
View reviewed changes
mtojek
mtojek reviewed Apr 25, 2024
View reviewed changes
integration/integration_test.go
return srv.URL
}

func checkBasicAuth(username, password string) func(http.Handler) http.Handler {
Copy link
Member

@mtojek mtojek Apr 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it intended to be used anywhere else in envbuilder? I'm considering moving it to integration/gittest.go

Ok, I found the place. Speaking of consistency with coder/coder that should land in testutil.

git_test.go
return string(content)
}

func setupGit(t *testing.T, user, pass string) (url string) {
Copy link
Member

@mtojek mtojek Apr 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about moving this to gittest?

Copy link
Member Author

@johnstcn johnstcn Apr 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll open a a separate PR to refactor this 👍

mtojek
mtojek approved these changes Apr 25, 2024
View reviewed changes
Copy link
Member

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the comments so quickly!

@johnstcn johnstcn merged commit 95ae2f0 into main Apr 25, 2024
@johnstcn johnstcn deleted the cj/git-config-dont-leak-creds branch April 25, 2024 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannykopping dannykopping dannykopping left review comments

@mtojek mtojek mtojek approved these changes

@mafredri mafredri Awaiting requested review from mafredri

Assignees

@johnstcn johnstcn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Gitlab oauth2:token being written to .git/config file after cloning

3 participants

@johnstcn @dannykopping @mtojek