do not pass cred on command line (#108)

actions · Dec 12, 2019 · a674725 · a674725
1 parent c170eef
commit a674725
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 10 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -5271,11 +5271,24 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
 }
 function configureAuthToken(git, authToken) {
     return __awaiter(this, void 0, void 0, function* () {
-        // Add extraheader (auth)
-        const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
-        core.setSecret(base64Credentials);
-        const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
-        yield git.config(authConfigKey, authConfigValue);
+        // Configure a placeholder value. This approach avoids the credential being captured
+        // by process creation audit events, which are commonly logged. For more information,
+        // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+        const placeholder = `AUTHORIZATION: basic ***`;
+        yield git.config(authConfigKey, placeholder);
+        // Determine the basic credential value
+        const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
+        core.setSecret(basicCredential);
+        // Replace the value in the config file
+        const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
+        let content = (yield fs.promises.readFile(configPath)).toString();
+        const placeholderIndex = content.indexOf(placeholder);
+        if (placeholderIndex < 0 ||
+            placeholderIndex != content.lastIndexOf(placeholder)) {
+            throw new Error('Unable to replace auth placeholder in .git/config');
+        }
+        content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
+        yield fs.promises.writeFile(configPath, content);
     });
 }
 function removeGitConfig(git, configKey) {

diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts
@@ -259,14 +259,34 @@ async function configureAuthToken(
   git: IGitCommandManager,
   authToken: string
 ): Promise<void> {
-  // Add extraheader (auth)
-  const base64Credentials = Buffer.from(
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  const placeholder = `AUTHORIZATION: basic ***`
+  await git.config(authConfigKey, placeholder)
+
+  // Determine the basic credential value
+  const basicCredential = Buffer.from(
     `x-access-token:${authToken}`,
     'utf8'
   ).toString('base64')
-  core.setSecret(base64Credentials)
-  const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
-  await git.config(authConfigKey, authConfigValue)
+  core.setSecret(basicCredential)
+
+  // Replace the value in the config file
+  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+  let content = (await fs.promises.readFile(configPath)).toString()
+  const placeholderIndex = content.indexOf(placeholder)
+  if (
+    placeholderIndex < 0 ||
+    placeholderIndex != content.lastIndexOf(placeholder)
+  ) {
+    throw new Error('Unable to replace auth placeholder in .git/config')
+  }
+  content = content.replace(
+    placeholder,
+    `AUTHORIZATION: basic ${basicCredential}`
+  )
+  await fs.promises.writeFile(configPath, content)
 }
 
 async function removeGitConfig(