diff options
| -rw-r--r-- | Documentation/RelNotes/2.37.0.txt | 6 | ||||
| -rw-r--r-- | Documentation/config/fetch.txt | 14 | ||||
| -rw-r--r-- | Documentation/config/transfer.txt | 38 | ||||
| -rw-r--r-- | remote.c | 4 | ||||
| -rwxr-xr-x | t/t5516-fetch-push.sh | 14 | ||||
| -rwxr-xr-x | t/t5601-clone.sh | 10 |
6 files changed, 56 insertions, 30 deletions
diff --git a/Documentation/RelNotes/2.37.0.txt b/Documentation/RelNotes/2.37.0.txt index e491a4b7ba..bf00ccc437 100644 --- a/Documentation/RelNotes/2.37.0.txt +++ b/Documentation/RelNotes/2.37.0.txt @@ -54,8 +54,10 @@ UI, Workflows & Features * Update the doctype written in gitweb output to xhtml5. - * The "fetch.credentialsInUrl" configuration variable controls what - happens when a URL with embedded login credential is used. + * The "transfer.credentialsInUrl" configuration variable controls what + happens when a URL with embedded login credential is used on either + "fetch" or "push". Credentials are currently only detected in + `remote.<name>.url` config, not `remote.<name>.pushurl`. * "git revert" learns "--reference" option to use more human-readable reference to the commit it reverts in the message template it diff --git a/Documentation/config/fetch.txt b/Documentation/config/fetch.txt index 0db7fe85bb..cd65d236b4 100644 --- a/Documentation/config/fetch.txt +++ b/Documentation/config/fetch.txt @@ -96,17 +96,3 @@ fetch.writeCommitGraph:: merge and the write may take longer. Having an updated commit-graph file helps performance of many Git commands, including `git merge-base`, `git push -f`, and `git log --graph`. Defaults to false. - -fetch.credentialsInUrl:: - A URL can contain plaintext credentials in the form - `<protocol>://<user>:<password>@<domain>/<path>`. Using such URLs - is not recommended as it exposes the password in multiple ways, - including Git storing the URL as plaintext in the repository config. - The `fetch.credentialsInUrl` option provides instruction for how Git - should react to seeing such a URL, with these values: -+ -* `allow` (default): Git will proceed with its activity without warning. -* `warn`: Git will write a warning message to `stderr` when parsing a URL - with a plaintext credential. -* `die`: Git will write a failure message to `stderr` when parsing a URL - with a plaintext credential. diff --git a/Documentation/config/transfer.txt b/Documentation/config/transfer.txt index b49429eb4d..b4475c0690 100644 --- a/Documentation/config/transfer.txt +++ b/Documentation/config/transfer.txt @@ -1,3 +1,41 @@ +transfer.credentialsInUrl:: + A configured URL can contain plaintext credentials in the form + `<protocol>://<user>:<password>@<domain>/<path>`. You may want + to warn or forbid the use of such configuration (in favor of + using linkgit:git-credential[1]). This will be used on + linkgit:git-clone[1], linkgit:git-fetch[1], linkgit:git-push[1], + and any other direct use of the configured URL. ++ +Note that this is currently limited to detecting credentials in +`remote.<name>.url` configuration, it won't detect credentials in +`remote.<name>.pushurl` configuration. ++ +You might want to enable this to prevent inadvertent credentials +exposure, e.g. because: ++ +* The OS or system where you're running git may not provide way way or + otherwise allow you to configure the permissions of the + configuration file where the username and/or password are stored. +* Even if it does, having such data stored "at rest" might expose you + in other ways, e.g. a backup process might copy the data to another + system. +* The git programs will pass the full URL to one another as arguments + on the command-line, meaning the credentials will be exposed to oher + users on OS's or systems that allow other users to see the full + process list of other users. On linux the "hidepid" setting + documented in procfs(5) allows for configuring this behavior. ++ +If such concerns don't apply to you then you probably don't need to be +concerned about credentials exposure due to storing that sensitive +data in git's configuration files. If you do want to use this, set +`transfer.credentialsInUrl` to one of these values: ++ +* `allow` (default): Git will proceed with its activity without warning. +* `warn`: Git will write a warning message to `stderr` when parsing a URL + with a plaintext credential. +* `die`: Git will write a failure message to `stderr` when parsing a URL + with a plaintext credential. + transfer.fsckObjects:: When `fetch.fsckObjects` or `receive.fsckObjects` are not set, the value of this variable is used instead. @@ -623,7 +623,7 @@ static void validate_remote_url(struct remote *remote) struct strbuf redacted = STRBUF_INIT; int warn_not_die; - if (git_config_get_string_tmp("fetch.credentialsinurl", &value)) + if (git_config_get_string_tmp("transfer.credentialsinurl", &value)) return; if (!strcmp("warn", value)) @@ -633,7 +633,7 @@ static void validate_remote_url(struct remote *remote) else if (!strcmp("allow", value)) return; else - die(_("unrecognized value fetch.credentialsInURL: '%s'"), value); + die(_("unrecognized value transfer.credentialsInURL: '%s'"), value); for (i = 0; i < remote->url_nr; i++) { struct url_info url_info = { 0 }; diff --git a/t/t5516-fetch-push.sh b/t/t5516-fetch-push.sh index c1220b2ed3..541adbb310 100755 --- a/t/t5516-fetch-push.sh +++ b/t/t5516-fetch-push.sh @@ -1836,18 +1836,18 @@ test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t test_expect_success LIBCURL 'fetch warns or fails when using username:password' ' message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && - test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=allow fetch https://username:password@localhost 2>err && ! grep "$message" err && - test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=warn fetch https://username:password@localhost 2>err && grep "warning: $message" err >warnings && test_line_count = 3 warnings && - test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:password@localhost 2>err && grep "fatal: $message" err >warnings && test_line_count = 1 warnings && - test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:@localhost 2>err && grep "fatal: $message" err >warnings && test_line_count = 1 warnings ' @@ -1855,12 +1855,12 @@ test_expect_success LIBCURL 'fetch warns or fails when using username:password' test_expect_success LIBCURL 'push warns or fails when using username:password' ' message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && - test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=allow push https://username:password@localhost 2>err && ! grep "$message" err && - test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=warn push https://username:password@localhost 2>err && grep "warning: $message" err >warnings && - test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err && + test_must_fail git -c transfer.credentialsInUrl=die push https://username:password@localhost 2>err && grep "fatal: $message" err >warnings && test_line_count = 1 warnings ' diff --git a/t/t5601-clone.sh b/t/t5601-clone.sh index eeed233362..cf3be0584f 100755 --- a/t/t5601-clone.sh +++ b/t/t5601-clone.sh @@ -73,24 +73,24 @@ test_expect_success 'clone respects GIT_WORK_TREE' ' test_expect_success LIBCURL 'clone warns or fails when using username:password' ' message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && - test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && + test_must_fail git -c transfer.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && ! grep "$message" err && - test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && + test_must_fail git -c transfer.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && grep "warning: $message" err >warnings && test_line_count = 2 warnings && - test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && + test_must_fail git -c transfer.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && grep "fatal: $message" err >warnings && test_line_count = 1 warnings && - test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && + test_must_fail git -c transfer.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && grep "fatal: $message" err >warnings && test_line_count = 1 warnings ' test_expect_success LIBCURL 'clone does not detect username:password when it is https://username@domain:port/' ' - test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && + test_must_fail git -c transfer.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && ! grep "uses plaintext credentials" err ' |