Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use git config credential.helper 'store --file=/tmp/file' for git push` #199

Merged
merged 2 commits into from
Jul 26, 2022
Merged

Use git config credential.helper 'store --file=/tmp/file' for git push` #199

merged 2 commits into from
Jul 26, 2022

Conversation

Ocramius
Copy link
Member

This should fix some underlying design issues described in #198

The full URI of the repository, which includes a token in plaintext, is now no
longer the actual git remote URI, and is instead stored in a temporary
file which git uses to authenticate with the remote.

This prevents the remote URI from leaking in STDOUT/STDERR, which are
visible in case of crashes.

This is a partial fix of #198 - the issue with git being broken upfront is still there.

@Ocramius
Use git config credential.helper 'store --file=/tmp/file' for git p…
9ca1989 
…ush`

This should fix some underlying design issues described in #198

The full URI of the repository, which includes a token in plaintext, is now no
longer the actual `git remote` URI, and is instead stored in a temporary
file which `git` uses to authenticate with the remote.

This prevents the remote URI from leaking in `STDOUT`/`STDERR`, which are
visible in case of crashes.
@Ocramius Ocramius added the Bug Something isn't working label Jul 26, 2022
@Ocramius Ocramius added this to the 1.14.0 milestone Jul 26, 2022
@weierophinney weierophinney mentioned this pull request Jul 26, 2022
Closed
@Ocramius Ocramius self-assigned this Jul 26, 2022
@Ocramius
Test: failing to fetch a repository and create credentials does NOT e…
6b61ca6 
…xfiltate those credentials

This test fails on `1.14.x`, and succeeds on `HEAD`, therefore validating the current patch, and
preventing a security regression.
@Ocramius Ocramius merged commit 72e81b1 into 1.14.x Jul 26, 2022
@Ocramius Ocramius deleted the fix/#198-use-git-internal-credential-store-for-authentication branch July 26, 2022 15:37
@github-actions github-actions bot mentioned this pull request Jul 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weierophinney weierophinney weierophinney left review comments

Assignees

@Ocramius Ocramius

Labels
Bug Something isn't working
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.
2 participants
@Ocramius @weierophinney