mirror of
https://github.com/git/git
synced 2024-08-27 03:29:21 +00:00
transfer doc: move fetch.credentialsInUrl to "transfer" config namespace
Rename the "fetch.credentialsInUrl" configuration variable introduced
in 6dcbdc0d66 (remote: create fetch.credentialsInUrl config,
2022-06-06) to "transfer".
There are existing exceptions, but generally speaking the
"<namespace>.<var>" configuration should only apply to command
described in the "namespace" (and its sub-commands, so e.g. "clone.*"
or "fetch.*" might also configure "git-remote-https").
But in the case of "fetch.credentialsInUrl" we've got a configuration
variable that configures the behavior of all of "clone", "push" and
"fetch", someone adjusting "fetch.*" configuration won't expect to
have the behavior of "git push" altered, especially as we have the
pre-existing "{transfer,fetch,receive}.fsckObjects", which configures
different parts of the transfer dialog.
So let's move this configuration variable to the "transfer" namespace
before it's exposed in a release. We could add all of
"{transfer,fetch,pull}.credentialsInUrl" at some other time, but once
we have "fetch" configure "pull" such an arrangement would would be a
confusing mess, as we'd at least need to have "fetch" configure
"push" (but not the other way around), or change existing behavior.
Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com>
Acked-by: Derrick Stolee <derrickstolee@github.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Ævar Arnfjörð Bjarmason
Junio C Hamano
parent
4a169da280
commit
7281c196b1
|
|
@ -54,7 +54,7 @@ UI, Workflows & Features
|
|||
|
||||
* Update the doctype written in gitweb output to xhtml5.
|
||||
|
||||
* The "fetch.credentialsInUrl" configuration variable controls what
|
||||
* The "transfer.credentialsInUrl" configuration variable controls what
|
||||
happens when a URL with embedded login credential is used on either
|
||||
"fetch" or "push". Credentials are currently only detected in
|
||||
`remote.<name>.url` config, not `remote.<name>.pushurl`.
|
||||
|
|
|
|||
|
|
@ -96,39 +96,3 @@ fetch.writeCommitGraph::
|
|||
merge and the write may take longer. Having an updated commit-graph
|
||||
file helps performance of many Git commands, including `git merge-base`,
|
||||
`git push -f`, and `git log --graph`. Defaults to false.
|
||||
|
||||
fetch.credentialsInUrl::
|
||||
A configured URL can contain plaintext credentials in the form
|
||||
`<protocol>://<user>:<password>@<domain>/<path>`. You may want
|
||||
to warn or forbid the use of such configuration (in favor of
|
||||
using linkgit:git-credential[1]).
|
||||
+
|
||||
Note that this is currently limited to detecting credentials in
|
||||
`remote.<name>.url` configuration, it won't detect credentials in
|
||||
`remote.<name>.pushurl` configuration.
|
||||
+
|
||||
You might want to enable this to prevent inadvertent credentials
|
||||
exposure, e.g. because:
|
||||
+
|
||||
* The OS or system where you're running git may not provide way way or
|
||||
otherwise allow you to configure the permissions of the
|
||||
configuration file where the username and/or password are stored.
|
||||
* Even if it does, having such data stored "at rest" might expose you
|
||||
in other ways, e.g. a backup process might copy the data to another
|
||||
system.
|
||||
* The git programs will pass the full URL to one another as arguments
|
||||
on the command-line, meaning the credentials will be exposed to oher
|
||||
users on OS's or systems that allow other users to see the full
|
||||
process list of other users. On linux the "hidepid" setting
|
||||
documented in procfs(5) allows for configuring this behavior.
|
||||
+
|
||||
If such concerns don't apply to you then you probably don't need to be
|
||||
concerned about credentials exposure due to storing that sensitive
|
||||
data in git's configuration files. If you do want to use this, set
|
||||
`fetch.credentialsInUrl` to one of these values:
|
||||
+
|
||||
* `allow` (default): Git will proceed with its activity without warning.
|
||||
* `warn`: Git will write a warning message to `stderr` when parsing a URL
|
||||
with a plaintext credential.
|
||||
* `die`: Git will write a failure message to `stderr` when parsing a URL
|
||||
with a plaintext credential.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,41 @@
|
|||
transfer.credentialsInUrl::
|
||||
A configured URL can contain plaintext credentials in the form
|
||||
`<protocol>://<user>:<password>@<domain>/<path>`. You may want
|
||||
to warn or forbid the use of such configuration (in favor of
|
||||
using linkgit:git-credential[1]). This will be used on
|
||||
linkgit:git-clone[1], linkgit:git-fetch[1], linkgit:git-push[1],
|
||||
and any other direct use of the configured URL.
|
||||
+
|
||||
Note that this is currently limited to detecting credentials in
|
||||
`remote.<name>.url` configuration, it won't detect credentials in
|
||||
`remote.<name>.pushurl` configuration.
|
||||
+
|
||||
You might want to enable this to prevent inadvertent credentials
|
||||
exposure, e.g. because:
|
||||
+
|
||||
* The OS or system where you're running git may not provide way way or
|
||||
otherwise allow you to configure the permissions of the
|
||||
configuration file where the username and/or password are stored.
|
||||
* Even if it does, having such data stored "at rest" might expose you
|
||||
in other ways, e.g. a backup process might copy the data to another
|
||||
system.
|
||||
* The git programs will pass the full URL to one another as arguments
|
||||
on the command-line, meaning the credentials will be exposed to oher
|
||||
users on OS's or systems that allow other users to see the full
|
||||
process list of other users. On linux the "hidepid" setting
|
||||
documented in procfs(5) allows for configuring this behavior.
|
||||
+
|
||||
If such concerns don't apply to you then you probably don't need to be
|
||||
concerned about credentials exposure due to storing that sensitive
|
||||
data in git's configuration files. If you do want to use this, set
|
||||
`transfer.credentialsInUrl` to one of these values:
|
||||
+
|
||||
* `allow` (default): Git will proceed with its activity without warning.
|
||||
* `warn`: Git will write a warning message to `stderr` when parsing a URL
|
||||
with a plaintext credential.
|
||||
* `die`: Git will write a failure message to `stderr` when parsing a URL
|
||||
with a plaintext credential.
|
||||
|
||||
transfer.fsckObjects::
|
||||
When `fetch.fsckObjects` or `receive.fsckObjects` are
|
||||
not set, the value of this variable is used instead.
|
||||
|
|
|
|||
4
remote.c
4
remote.c
|
|
@ -623,7 +623,7 @@ static void validate_remote_url(struct remote *remote)
|
|||
struct strbuf redacted = STRBUF_INIT;
|
||||
int warn_not_die;
|
||||
|
||||
if (git_config_get_string_tmp("fetch.credentialsinurl", &value))
|
||||
if (git_config_get_string_tmp("transfer.credentialsinurl", &value))
|
||||
return;
|
||||
|
||||
if (!strcmp("warn", value))
|
||||
|
|
@ -633,7 +633,7 @@ static void validate_remote_url(struct remote *remote)
|
|||
else if (!strcmp("allow", value))
|
||||
return;
|
||||
else
|
||||
die(_("unrecognized value fetch.credentialsInURL: '%s'"), value);
|
||||
die(_("unrecognized value transfer.credentialsInURL: '%s'"), value);
|
||||
|
||||
for (i = 0; i < remote->url_nr; i++) {
|
||||
struct url_info url_info = { 0 };
|
||||
|
|
|
|||
|
|
@ -1836,18 +1836,18 @@ test_expect_success 'refuse to push a hidden ref, and make sure do not pollute t
|
|||
|
||||
test_expect_success 'fetch warns or fails when using username:password' '
|
||||
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
|
||||
test_must_fail git -c fetch.credentialsInUrl=allow fetch https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=allow fetch https://username:password@localhost 2>err &&
|
||||
! grep "$message" err &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=warn fetch https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=warn fetch https://username:password@localhost 2>err &&
|
||||
grep "warning: $message" err >warnings &&
|
||||
test_line_count = 3 warnings &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:password@localhost 2>err &&
|
||||
grep "fatal: $message" err >warnings &&
|
||||
test_line_count = 1 warnings &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=die fetch https://username:@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=die fetch https://username:@localhost 2>err &&
|
||||
grep "fatal: $message" err >warnings &&
|
||||
test_line_count = 1 warnings
|
||||
'
|
||||
|
|
@ -1855,12 +1855,12 @@ test_expect_success 'fetch warns or fails when using username:password' '
|
|||
|
||||
test_expect_success 'push warns or fails when using username:password' '
|
||||
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
|
||||
test_must_fail git -c fetch.credentialsInUrl=allow push https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=allow push https://username:password@localhost 2>err &&
|
||||
! grep "$message" err &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=warn push https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=warn push https://username:password@localhost 2>err &&
|
||||
grep "warning: $message" err >warnings &&
|
||||
test_must_fail git -c fetch.credentialsInUrl=die push https://username:password@localhost 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=die push https://username:password@localhost 2>err &&
|
||||
grep "fatal: $message" err >warnings &&
|
||||
test_line_count = 1 warnings
|
||||
'
|
||||
|
|
|
|||
|
|
@ -73,24 +73,24 @@ test_expect_success 'clone respects GIT_WORK_TREE' '
|
|||
|
||||
test_expect_success 'clone warns or fails when using username:password' '
|
||||
message="URL '\''https://username:<redacted>@localhost/'\'' uses plaintext credentials" &&
|
||||
test_must_fail git -c fetch.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=allow clone https://username:password@localhost attempt1 2>err &&
|
||||
! grep "$message" err &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=warn clone https://username:password@localhost attempt2 2>err &&
|
||||
grep "warning: $message" err >warnings &&
|
||||
test_line_count = 2 warnings &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=die clone https://username:password@localhost attempt3 2>err &&
|
||||
grep "fatal: $message" err >warnings &&
|
||||
test_line_count = 1 warnings &&
|
||||
|
||||
test_must_fail git -c fetch.credentialsInUrl=die clone https://username:@localhost attempt3 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=die clone https://username:@localhost attempt3 2>err &&
|
||||
grep "fatal: $message" err >warnings &&
|
||||
test_line_count = 1 warnings
|
||||
'
|
||||
|
||||
test_expect_success 'clone does not detect username:password when it is https://username@domain:port/' '
|
||||
test_must_fail git -c fetch.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err &&
|
||||
test_must_fail git -c transfer.credentialsInUrl=warn clone https://username@localhost:8080 attempt3 2>err &&
|
||||
! grep "uses plaintext credentials" err
|
||||
'
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue