kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity
Browse Source

Merge branch 'jt/redact-all-cookies' 

The interface to redact sensitive information in the trace output
has been simplified.

* jt/redact-all-cookies:
  http: redact all cookies, teach GIT_TRACE_REDACT=0
maint
Junio C Hamano 5 years ago
parent
113f734907 827e7d4da4
commit
b8a5299594
3 changed files with 39 additions and 43 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 9
      Documentation/git.txt
  2. 35
      http.c
  3. 38
      t/t5551-http-fetch-smart.sh

9
Documentation/git.txt
Unescape View File

@ -775,11 +775,10 @@ for full details. @@ -775,11 +775,10 @@ for full details.
See `GIT_TRACE2` for available trace output options and
link:technical/api-trace2.html[Trace2 documentation] for full details.

`GIT_REDACT_COOKIES`::
This can be set to a comma-separated list of strings. When a curl trace
is enabled (see `GIT_TRACE_CURL` above), whenever a "Cookies:" header
sent by the client is dumped, values of cookies whose key is in that
list (case-sensitive) are redacted.
`GIT_TRACE_REDACT`::
By default, when tracing is activated, Git redacts the values of
cookies, the "Authorization:" header, and the "Proxy-Authorization:"
header. Set this variable to `0` to prevent this redaction.

`GIT_LITERAL_PATHSPECS`::
Setting this variable to `1` will cause Git to treat all

35
http.c
Unescape View File

@ -18,7 +18,7 @@ @@ -18,7 +18,7 @@

static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
static struct string_list cookies_to_redact = STRING_LIST_INIT_DUP;
static int trace_curl_redact = 1;
#if LIBCURL_VERSION_NUM >= 0x070a08
long int git_curl_ipresolve = CURL_IPRESOLVE_WHATEVER;
#else
@ -642,8 +642,9 @@ static void redact_sensitive_header(struct strbuf *header) @@ -642,8 +642,9 @@ static void redact_sensitive_header(struct strbuf *header)
{
const char *sensitive_header;

if (skip_prefix(header->buf, "Authorization:", &sensitive_header) ||
skip_prefix(header->buf, "Proxy-Authorization:", &sensitive_header)) {
if (trace_curl_redact &&
(skip_prefix(header->buf, "Authorization:", &sensitive_header) ||
skip_prefix(header->buf, "Proxy-Authorization:", &sensitive_header))) {
/* The first token is the type, which is OK to log */
while (isspace(*sensitive_header))
sensitive_header++;
@ -652,20 +653,15 @@ static void redact_sensitive_header(struct strbuf *header) @@ -652,20 +653,15 @@ static void redact_sensitive_header(struct strbuf *header)
/* Everything else is opaque and possibly sensitive */
strbuf_setlen(header, sensitive_header - header->buf);
strbuf_addstr(header, " <redacted>");
} else if (cookies_to_redact.nr &&
} else if (trace_curl_redact &&
skip_prefix(header->buf, "Cookie:", &sensitive_header)) {
struct strbuf redacted_header = STRBUF_INIT;
char *cookie;
const char *cookie;

while (isspace(*sensitive_header))
sensitive_header++;

/*
* The contents of header starting from sensitive_header will
* subsequently be overridden, so it is fine to mutate this
* string (hence the assignment to "char *").
*/
cookie = (char *) sensitive_header;
cookie = sensitive_header;

while (cookie) {
char *equals;
@ -678,14 +674,8 @@ static void redact_sensitive_header(struct strbuf *header) @@ -678,14 +674,8 @@ static void redact_sensitive_header(struct strbuf *header)
strbuf_addstr(&redacted_header, cookie);
continue;
}
*equals = 0; /* temporarily set to NUL for lookup */
if (string_list_lookup(&cookies_to_redact, cookie)) {
strbuf_addstr(&redacted_header, cookie);
strbuf_addstr(&redacted_header, "=<redacted>");
} else {
*equals = '=';
strbuf_addstr(&redacted_header, cookie);
}
strbuf_add(&redacted_header, cookie, equals - cookie);
strbuf_addstr(&redacted_header, "=<redacted>");
if (semicolon) {
/*
* There are more cookies. (Or, for some
@ -1003,11 +993,8 @@ static CURL *get_curl_handle(void) @@ -1003,11 +993,8 @@ static CURL *get_curl_handle(void)
setup_curl_trace(result);
if (getenv("GIT_TRACE_CURL_NO_DATA"))
trace_curl_data = 0;
if (getenv("GIT_REDACT_COOKIES")) {
string_list_split(&cookies_to_redact,
getenv("GIT_REDACT_COOKIES"), ',', -1);
string_list_sort(&cookies_to_redact);
}
if (!git_env_bool("GIT_TRACE_REDACT", 1))
trace_curl_redact = 0;

curl_easy_setopt(result, CURLOPT_USERAGENT,
user_agent ? user_agent : git_user_agent());

38
t/t5551-http-fetch-smart.sh
Unescape View File

@ -209,6 +209,16 @@ test_expect_success 'GIT_CURL_VERBOSE redacts auth details' ' @@ -209,6 +209,16 @@ test_expect_success 'GIT_CURL_VERBOSE redacts auth details' '
grep "Authorization: Basic <redacted>" trace
'

test_expect_success 'GIT_TRACE_CURL does not redact auth details if GIT_TRACE_REDACT=0' '
rm -rf redact-auth trace &&
set_askpass user@host pass@host &&
GIT_TRACE_REDACT=0 GIT_TRACE_CURL="$(pwd)/trace" \
git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
expect_askpass both user@host &&

grep "Authorization: Basic [0-9a-zA-Z+/]" trace
'

test_expect_success 'disable dumb http on server' '
git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" \
config http.getanyfile false
@ -454,37 +464,37 @@ test_expect_success 'fetch by SHA-1 without tag following' ' @@ -454,37 +464,37 @@ test_expect_success 'fetch by SHA-1 without tag following' '
--no-tags origin $(cat bar_hash)
'

test_expect_success 'GIT_REDACT_COOKIES redacts cookies' '
test_expect_success 'cookies are redacted by default' '
rm -rf clone &&
echo "Set-Cookie: Foo=1" >cookies &&
echo "Set-Cookie: Bar=2" >>cookies &&
GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Bar,Baz \
GIT_TRACE_CURL=true \
git -c "http.cookieFile=$(pwd)/cookies" clone \
$HTTPD_URL/smart/repo.git clone 2>err &&
grep "Cookie:.*Foo=1" err &&
grep "Cookie:.*Foo=<redacted>" err &&
grep "Cookie:.*Bar=<redacted>" err &&
! grep "Cookie:.*Foo=1" err &&
! grep "Cookie:.*Bar=2" err
'

test_expect_success 'GIT_REDACT_COOKIES redacts cookies when GIT_CURL_VERBOSE=1' '
test_expect_success 'empty values of cookies are also redacted' '
rm -rf clone &&
echo "Set-Cookie: Foo=1" >cookies &&
echo "Set-Cookie: Bar=2" >>cookies &&
GIT_CURL_VERBOSE=1 GIT_REDACT_COOKIES=Bar,Baz \
echo "Set-Cookie: Foo=" >cookies &&
GIT_TRACE_CURL=true \
git -c "http.cookieFile=$(pwd)/cookies" clone \
$HTTPD_URL/smart/repo.git clone 2>err &&
grep "Cookie:.*Foo=1" err &&
grep "Cookie:.*Bar=<redacted>" err &&
! grep "Cookie:.*Bar=2" err
grep "Cookie:.*Foo=<redacted>" err
'

test_expect_success 'GIT_REDACT_COOKIES handles empty values' '
test_expect_success 'GIT_TRACE_REDACT=0 disables cookie redaction' '
rm -rf clone &&
echo "Set-Cookie: Foo=" >cookies &&
GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Foo \
echo "Set-Cookie: Foo=1" >cookies &&
echo "Set-Cookie: Bar=2" >>cookies &&
GIT_TRACE_REDACT=0 GIT_TRACE_CURL=true \
git -c "http.cookieFile=$(pwd)/cookies" clone \
$HTTPD_URL/smart/repo.git clone 2>err &&
grep "Cookie:.*Foo=<redacted>" err
grep "Cookie:.*Foo=1" err &&
grep "Cookie:.*Bar=2" err
'

test_expect_success 'GIT_TRACE_CURL_NO_DATA prevents data from being traced' '

Write Preview
Loading…
Cancel
Save