From 36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc Mon Sep 17 00:00:00 2001 From: Guilherme Macedo Date: Mon, 3 Jan 2022 11:22:04 +0100 Subject: [PATCH 1/2] Redact SSH key from URL query parameter Signed-off-by: Guilherme Macedo --- .gitignore | 1 + url.go | 7 ++++++- url_test.go | 26 ++++++++++++++++++++++++-- 3 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..511ca2675 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +cmd/go-getter/go-getter diff --git a/url.go b/url.go index 1eaa4ce9f..98b73da4b 100644 --- a/url.go +++ b/url.go @@ -13,7 +13,12 @@ func RedactURL(u *url.URL) string { ru := *u if _, has := ru.User.Password(); has { - ru.User = url.UserPassword(ru.User.Username(), "xxxxx") + ru.User = url.UserPassword(ru.User.Username(), "redacted") + } + q := ru.Query() + if q.Get("sshkey") != "" { + q.Set("sshkey", "redacted") + ru.RawQuery = q.Encode() } return ru.String() } diff --git a/url_test.go b/url_test.go index 3f87b0d7c..720359e5c 100644 --- a/url_test.go +++ b/url_test.go @@ -19,7 +19,7 @@ func TestRedactURL(t *testing.T) { Path: "this:that", User: url.UserPassword("user", "password"), }, - want: "http://user:xxxxx@host.tld/this:that", + want: "http://user:redacted@host.tld/this:that", }, { name: "blank Password", @@ -39,7 +39,7 @@ func TestRedactURL(t *testing.T) { Path: "this:that", User: url.UserPassword("", "password"), }, - want: "http://:xxxxx@host.tld/this:that", + want: "http://:redacted@host.tld/this:that", }, { name: "blank Username, blank Password", @@ -60,6 +60,28 @@ func TestRedactURL(t *testing.T) { url: nil, want: "", }, + { + name: "non-blank SSH key in URL query parameter", + url: &url.URL{ + Scheme: "ssh", + User: url.User("git"), + Host: "github.com", + Path: "hashicorp/go-getter-test-private.git", + RawQuery: "sshkey=LS0tLS1CRUdJTiBPUE", + }, + want: "ssh://git@github.com/hashicorp/go-getter-test-private.git?sshkey=redacted", + }, + { + name: "blank SSH key in URL query parameter", + url: &url.URL{ + Scheme: "ssh", + User: url.User("git"), + Host: "github.com", + Path: "hashicorp/go-getter-test-private.git", + RawQuery: "sshkey=", + }, + want: "ssh://git@github.com/hashicorp/go-getter-test-private.git?sshkey=", + }, } for _, tt := range cases { From 17af21e717d343bb11eb0e875fa1b88ae7dd7361 Mon Sep 17 00:00:00 2001 From: Guilherme Macedo Date: Mon, 3 Jan 2022 11:30:47 +0100 Subject: [PATCH 2/2] Redact SSH key from URL query parameter Signed-off-by: Guilherme Macedo --- url.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/url.go b/url.go index 98b73da4b..a9aed7f50 100644 --- a/url.go +++ b/url.go @@ -3,9 +3,10 @@ package getter import "net/url" // RedactURL is a port of url.Redacted from the standard library, -// which is like url.String but replaces any password with "xxxxx". +// which is like url.String but replaces any password with "redacted". // Only the password in u.URL is redacted. This allows the library // to maintain compatibility with go1.14. +// This port was also extended to redact SSH key from URL query parameter. func RedactURL(u *url.URL) string { if u == nil { return ""