Skip to content

Commit

Permalink
Remove username and password in remote url for cache directory name
Browse files Browse the repository at this point in the history
Currently, module remote url has some characters replaced to with - so it can
be used as cache directory name on disk. However, when Puppetfile has module
urls with authentication data in format of protocol://username:password@host,
password will be leaked in cache directory name.

Added replace action for username or username and password parts for the cache
directory name to avoid leaking credentials on filesystem. Using regex as some
popular urls from eg. gitlab are not parsable with URI.parse.
  • Loading branch information
bond-os committed Jul 14, 2021
1 parent ffd00a1 commit 08fb638
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.mkd
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ Unreleased
- Add `authorization_token` setting to allow authentication to a custom Forge server. [#1181](https://github.com/puppetlabs/r10k/pull/1181)
- (RK-135) Attempting to download the latest version for a module that has no Forge releases will now issue a meaningful error. [#1177](https://github.com/puppetlabs/r10k/pull/1177)
- Added an interface to R10K::Source::Base named `reload!` for updating the environments list for a given deployment; `reload!` is called before deployment purges to make r10k deploy pools more threadsafe. [#1172](https://github.com/puppetlabs/r10k/pull/1172)
- Remove username and password from remote url in cache directory name [#1186](https://github.com/puppetlabs/r10k/pull/1186)
----------

3.9.3
Expand Down
2 changes: 1 addition & 1 deletion lib/r10k/git/cache.rb
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,6 @@ def reset!

# Reformat the remote name into something that can be used as a directory
def sanitized_dirname
@sanitized_dirname ||= @remote.gsub(/[^@\w\.-]/, '-')
@sanitized_dirname ||= @remote.gsub(/(\w+:\/\/)(.*)(@)/, '\1').gsub(/[^@\w\.-]/, '-')
end
end
14 changes: 14 additions & 0 deletions spec/unit/git/cache_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,18 @@ def expect_delegation(method)
subject.cached?
end
end

describe "dirname sanitization" do
it 'sanitizes cache directory name' do
expect(subject.sanitized_dirname).to eq('git---some-git-remote')
end

context 'with username and password' do
subject { subclass.new('https://"user:pa$$w0rd:@some/git/remote') }

it 'sanitizes cache directory name' do
expect(subject.sanitized_dirname).to eq('https---some-git-remote')
end
end
end
end

0 comments on commit 08fb638

Please sign in to comment.