undef/git-commit-vandalism
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

transfer doc: move fetch.credentialsInUrl to "transfer" config namespace

Browse Source 
Rename the "fetch.credentialsInUrl" configuration variable introduced
in 6dcbdc0d661 (remote: create fetch.credentialsInUrl config,
2022-06-06) to "transfer".

There are existing exceptions, but generally speaking the
"<namespace>.<var>" configuration should only apply to command
described in the "namespace" (and its sub-commands, so e.g. "clone.*"
or "fetch.*" might also configure "git-remote-https").

But in the case of "fetch.credentialsInUrl" we've got a configuration
variable that configures the behavior of all of "clone", "push" and
"fetch", someone adjusting "fetch.*" configuration won't expect to
have the behavior of "git push" altered, especially as we have the
pre-existing "{transfer,fetch,receive}.fsckObjects", which configures
different parts of the transfer dialog.

So let's move this configuration variable to the "transfer" namespace
before it's exposed in a release. We could add all of
"{transfer,fetch,pull}.credentialsInUrl" at some other time, but once
we have "fetch" configure "pull" such an arrangement would would be a
confusing mess, as we'd at least need to have "fetch" configure
"push" (but not the other way around), or change existing behavior.

Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Acked-by: Derrick Stolee <derrickstolee@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Ævar Arnfjörð Bjarmason 2022-06-15 12:44:12 +02:00 committed by Junio C Hamano
parent 4a169da280
commit 7281c196b1
6 changed files with 53 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/RelNotes/2.37.0.txt
View File

@ -54,7 +54,7 @@ UI, Workflows & Features
* Update the doctype written in gitweb output to xhtml5. * Update the doctype written in gitweb output to xhtml5.
* The "fetch.credentialsInUrl" configuration variable controls what * The "transfer.credentialsInUrl" configuration variable controls what
happens when a URL with embedded login credential is used on either happens when a URL with embedded login credential is used on either
"fetch" or "push". Credentials are currently only detected in "fetch" or "push". Credentials are currently only detected in
`remote.<name>.url` config, not `remote.<name>.pushurl`. `remote.<name>.url` config, not `remote.<name>.pushurl`.

36
Documentation/config/fetch.txt
View File

@ -96,39 +96,3 @@ fetch.writeCommitGraph::
merge and the write may take longer. Having an updated commit-graph merge and the write may take longer. Having an updated commit-graph
file helps performance of many Git commands, including `git merge-base`, file helps performance of many Git commands, including `git merge-base`,
`git push -f`, and `git log --graph`. Defaults to false. `git push -f`, and `git log --graph`. Defaults to false.
fetch.credentialsInUrl::
A configured URL can contain plaintext credentials in the form
`<protocol>://<user>:<password>@<domain>/<path>`. You may want
to warn or forbid the use of such configuration (in favor of
using linkgit:git-credential[1]).
+
Note that this is currently limited to detecting credentials in
`remote.<name>.url` configuration, it won't detect credentials in
`remote.<name>.pushurl` configuration.
+
You might want to enable this to prevent inadvertent credentials
exposure, e.g. because:
+
* The OS or system where you're running git may not provide way way or
otherwise allow you to configure the permissions of the
configuration file where the username and/or password are stored.
* Even if it does, having such data stored "at rest" might expose you
in other ways, e.g. a backup process might copy the data to another
system.
* The git programs will pass the full URL to one another as arguments
on the command-line, meaning the credentials will be exposed to oher
users on OS's or systems that allow other users to see the full
process list of other users. On linux the "hidepid" setting
documented in procfs(5) allows for configuring this behavior.
+
If such concerns don't apply to you then you probably don't need to be
concerned about credentials exposure due to storing that sensitive
data in git's configuration files. If you do want to use this, set
`fetch.credentialsInUrl` to one of these values:
+
* `allow` (default): Git will proceed with its activity without warning.
* `warn`: Git will write a warning message to `stderr` when parsing a URL
with a plaintext credential.
* `die`: Git will write a failure message to `stderr` when parsing a URL
with a plaintext credential.

38
Documentation/config/transfer.txt
View File

@ -1,3 +1,41 @@
transfer.credentialsInUrl::
A configured URL can contain plaintext credentials in the form
`<protocol>://<user>:<password>@<domain>/<path>`. You may want
to warn or forbid the use of such configuration (in favor of
using linkgit:git-credential[1]). This will be used on
linkgit:git-clone[1], linkgit:git-fetch[1], linkgit:git-push[1],
and any other direct use of the configured URL.
+
Note that this is currently limited to detecting credentials in
`remote.<name>.url` configuration, it won't detect credentials in
`remote.<name>.pushurl` configuration.
+
You might want to enable this to prevent inadvertent credentials
exposure, e.g. because:
+
* The OS or system where you're running git may not provide way way or
otherwise allow you to configure the permissions of the
configuration file where the username and/or password are stored.
* Even if it does, having such data stored "at rest" might expose you
in other ways, e.g. a backup process might copy the data to another
system.
* The git programs will pass the full URL to one another as arguments
on the command-line, meaning the credentials will be exposed to oher
users on OS's or systems that allow other users to see the full
process list of other users. On linux the "hidepid" setting
documented in procfs(5) allows for configuring this behavior.
+
If such concerns don't apply to you then you probably don't need to be
concerned about credentials exposure due to storing that sensitive
data in git's configuration files. If you do want to use this, set
`transfer.credentialsInUrl` to one of these values:
+
* `allow` (default): Git will proceed with its activity without warning.
* `warn`: Git will write a warning message to `stderr` when parsing a URL
with a plaintext credential.
* `die`: Git will write a failure message to `stderr` when parsing a URL
with a plaintext credential.
transfer.fsckObjects:: transfer.fsckObjects::
When `fetch.fsckObjects` or `receive.fsckObjects` are When `fetch.fsckObjects` or `receive.fsckObjects` are
not set, the value of this variable is used instead. not set, the value of this variable is used instead.

4
remote.c
View File

@ -623,7 +623,7 @@ static void validate_remote_url(struct remote *remote)
struct strbuf redacted = STRBUF_INIT; struct strbuf redacted = STRBUF_INIT;
int warn_not_die; int warn_not_die;
if (git_config_get_string_tmp("fetch.credentialsinurl", &value)) if (git_config_get_string_tmp("transfer.credentialsinurl", &value))
return; return;
if (!strcmp("warn", value)) if (!strcmp("warn", value))
@ -633,7 +633,7 @@ static void validate_remote_url(struct remote *remote)
else if (!strcmp("allow", value)) else if (!strcmp("allow", value))
return; return;
else else
die(_("unrecognized value fetch.credentialsInURL: '%s'"), value); die(_("unrecognized value transfer.credentialsInURL: '%s'"), value);
for (i = 0; i < remote->url_nr; i++) { for (i = 0; i < remote->url_nr; i++) {
struct url_info url_info = { 0 }; struct url_info url_info = { 0 };

14
t/t5516-fetch-push.sh
View File

@ -1836,18 +1836,18 @@ test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t
test_expect_success 'fetch warns or fails when using username:password' ' test_expect_success 'fetch warns or fails when using username:password' '
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=allow fetch https://username:password@localhost 2>err &&
! grep "$message" err && ! grep "$message" err &&
test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=warn fetch https://username:password@localhost 2>err &&
grep "warning: $message" err >warnings && grep "warning: $message" err >warnings &&
test_line_count = 3 warnings && test_line_count = 3 warnings &&
test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:password@localhost 2>err &&
grep "fatal: $message" err >warnings && grep "fatal: $message" err >warnings &&
test_line_count = 1 warnings && test_line_count = 1 warnings &&
test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:@localhost 2>err &&
grep "fatal: $message" err >warnings && grep "fatal: $message" err >warnings &&
test_line_count = 1 warnings test_line_count = 1 warnings
' '
@ -1855,12 +1855,12 @@ test_expect_success 'fetch warns or fails when using username:password' '
test_expect_success 'push warns or fails when using username:password' ' test_expect_success 'push warns or fails when using username:password' '
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=allow push https://username:password@localhost 2>err &&
! grep "$message" err && ! grep "$message" err &&
test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=warn push https://username:password@localhost 2>err &&
grep "warning: $message" err >warnings && grep "warning: $message" err >warnings &&
test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err && test_must_fail git -c transfer.credentialsInUrl=die push https://username:password@localhost 2>err &&
grep "fatal: $message" err >warnings && grep "fatal: $message" err >warnings &&
test_line_count = 1 warnings test_line_count = 1 warnings
' '

10
t/t5601-clone.sh
View File

@ -73,24 +73,24 @@ test_expect_success 'clone respects GIT_WORK_TREE' '
test_expect_success 'clone warns or fails when using username:password' ' test_expect_success 'clone warns or fails when using username:password' '
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" && message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err && test_must_fail git -c transfer.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err &&
! grep "$message" err && ! grep "$message" err &&
test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err && test_must_fail git -c transfer.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err &&
grep "warning: $message" err >warnings && grep "warning: $message" err >warnings &&
test_line_count = 2 warnings && test_line_count = 2 warnings &&
test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err && test_must_fail git -c transfer.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err &&
grep "fatal: $message" err >warnings && grep "fatal: $message" err >warnings &&
test_line_count = 1 warnings && test_line_count = 1 warnings &&
test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err && test_must_fail git -c transfer.credentialsInUrl=die clone https://username:@localhost attempt3 2>err &&
grep "fatal: $message" err >warnings && grep "fatal: $message" err >warnings &&
test_line_count = 1 warnings test_line_count = 1 warnings
' '
test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' ' test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' '
test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err && test_must_fail git -c transfer.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err &&
! grep "uses plaintext credentials" err ! grep "uses plaintext credentials" err
' '