diff options
author | uran <uran@zeoalliance.com> | 2014-08-28 19:36:10 +0300 |
---|---|---|
committer | uran <uran@zeoalliance.com> | 2014-08-28 19:52:20 +0300 |
commit | 5287df54973ca6004094ab038812a904319dca41 (patch) | |
tree | 6caac0f188929b55adfc2d98ce03b54fb4979a6d | |
parent | 91753e937e729c0fedc9a5dd7ae52b85436b4971 (diff) | |
download | gitlab-shell-5287df54973ca6004094ab038812a904319dca41.tar.gz |
Security issue: imported URLs are stored along with password.
-rw-r--r-- | lib/gitlab_projects.rb | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/lib/gitlab_projects.rb b/lib/gitlab_projects.rb index a6fa1b5..dd720c7 100644 --- a/lib/gitlab_projects.rb +++ b/lib/gitlab_projects.rb @@ -94,6 +94,20 @@ class GitlabProjects FileUtils.rm_rf(full_path) end + def mask_password_in_url(url) + result = URI(url) + result.password = "*****" unless result.password.nil? + result + rescue + url + end + + def remove_origin_in_repo + cmd = %W(git --git-dir=#{full_path} remote remove origin) + pid = Process.spawn(*cmd) + Process.wait(pid) + end + # Import project via git clone --bare # URL must be publicly cloneable def import_project @@ -101,10 +115,11 @@ class GitlabProjects return false if File.exists?(full_path) @source = ARGV.shift + masked_source = mask_password_in_url(@source) # timeout for clone timeout = (ARGV.shift || 120).to_i - $logger.info "Importing project #{@project_name} from <#{@source}> to <#{full_path}>." + $logger.info "Importing project #{@project_name} from <#{masked_source}> to <#{full_path}>." cmd = %W(git clone --bare -- #{@source} #{full_path}) pid = Process.spawn(*cmd) @@ -114,7 +129,7 @@ class GitlabProjects Process.wait(pid) end rescue Timeout::Error - $logger.error "Importing project #{@project_name} from <#{@source}> failed due to timeout." + $logger.error "Importing project #{@project_name} from <#{masked_source}> failed due to timeout." Process.kill('KILL', pid) Process.wait @@ -122,6 +137,9 @@ class GitlabProjects false else self.class.create_hooks(full_path) + # The project was imported successfully. + # Remove the origin URL since it may contain password. + remove_origin_in_repo end end |