Skip to content

Commit

Permalink
Mask Git credentials in the error message (#10115)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SerheyDolgushev
SerheyDolgushev committed Oct 2, 2021
1 parent 28b2b5c commit 90d112d
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions src/Composer/Util/Git.php
View file
Expand Up @@ -98,6 +98,7 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
$command = call_user_func($commandCallable, $url);

$auth = null;
$credentials = array();
if ($bypassSshForGitHub || 0 !== $this->process->execute($command, $ignoredOutput, $cwd)) {
$errorMsg = $this->process->getErrorOutput();
// private github repository without ssh key access, try https with auth
Expand All @@ -121,6 +122,7 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
return;
}

$credentials = array(rawurlencode($auth['username']), rawurlencode($auth['password']));
$errorMsg = $this->process->getErrorOutput();
}
} elseif (preg_match('{^https://(bitbucket\.org)/(.*?)(?:\.git)?$}i', $url, $match)) { //bitbucket oauth
Expand Down Expand Up @@ -155,6 +157,7 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
return;
}

$credentials = array(rawurlencode($auth['username']), rawurlencode($auth['password']));
$errorMsg = $this->process->getErrorOutput();
} else { // Falling back to ssh
$sshUrl = 'git@bitbucket.org:' . $match[2] . '.git';
Expand Down Expand Up @@ -196,6 +199,7 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
return;
}

$credentials = array(rawurlencode($auth['username']), rawurlencode($auth['password']));
$errorMsg = $this->process->getErrorOutput();
}
} elseif ($this->isAuthenticationFailure($url, $match)) { // private non-github/gitlab/bitbucket repo that failed to authenticate
Expand Down Expand Up @@ -236,6 +240,7 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
return;
}

$credentials = array(rawurlencode($auth['username']), rawurlencode($auth['password']));
$errorMsg = $this->process->getErrorOutput();
}
}
Expand All @@ -244,6 +249,10 @@ public function runCommand($commandCallable, $url, $cwd, $initialClone = false)
$this->filesystem->removeDirectory($origCwd);
}

if (count($credentials) > 0) {
$command = $this->maskCredentials($command, $credentials);
$errorMsg = $this->maskCredentials($errorMsg, $credentials);
}
$this->throwException('Failed to execute ' . $command . "\n\n" . $errorMsg, $url);
}
}
Expand Down Expand Up @@ -412,4 +421,23 @@ public static function getVersion(ProcessExecutor $process)

return self::$version;
}

private function maskCredentials(string $error, array $credentials)
{
$maskedCredentials = array();

foreach ($credentials as $credential) {
if (in_array($credential, array('private-token', 'x-token-auth', 'oauth2', 'gitlab-ci-token', 'x-oauth-basic'))) {
$maskedCredentials[] = $credential;
} elseif (strlen($credential) > 6) {
$maskedCredentials[] = substr($credential, 0, 3) . '...' . substr($credential, -3);
} elseif (strlen($credential) > 3) {
$maskedCredentials[] = substr($credential, 0, 3) . '...';
} else {
$maskedCredentials[] = 'XXX';
}
}

return str_replace($credentials, $maskedCredentials, $error);
}
}

0 comments on commit 90d112d

Please sign in to comment.