Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mask Git credentials in the error message #10115

Merged
merged 1 commit into from Oct 2, 2021

Conversation

SerheyDolgushev
Copy link
Contributor

Error message might contain git credentials. The simplest way to reproduce it:

  1. Setup github-oauth in ~/.composer/auth.json
  2. Add some public package to your project:
    composer require contextualcode/public-package
    
  3. Switch the previously added package Git repository into private, and make sure current github-oauth has no access to it.
  4. Remove the caches:
    composer clearcache
    
  5. Remove the previously checked out sources for contextualcode/public-package:
     rm -Rf vendor/contextualcode/public-package
    
  6. Run the composer install
    composer clearcache
  1. You will get error message similar to:
    [RuntimeException]                                                                                                                                                                                       
    Failed to execute git clone --mirror -- 'https://YOUR_TOKEN:x-oauth-basic@github.com/contextualcode/public-package.git' '/Users/sd/Library/Caches/composer/vcs/git-github.com-contextualcode-public-package.git/'                                                                                                                                                                                                        
    
    Cloning into bare repository '/Users/sd/Library/Caches/composer/vcs/git-github.com-contextualcode-public-package.git'...                                                                                     
    remote: Repository not found.                                                                                                                                                                            
    fatal: repository 'https://YOUR_TOKEN:x-oauth-basic@github.com/contextualcode-public-package.git/' not found 
    

There is no need to show the real value of YOUR_TOKEN. Instead, the masked version should be showed to improve the security.

@SerheyDolgushev
Copy link
Contributor Author

Pinging @Seldaek as you seem to be the top maintainer.

@Seldaek Seldaek added this to the 2.1 milestone Oct 2, 2021
@Seldaek Seldaek added the Bug label Oct 2, 2021
@Seldaek Seldaek merged commit 90d112d into composer:master Oct 2, 2021
@Seldaek
Copy link
Member

Seldaek commented Oct 2, 2021

Thanks, looks sensible

@@ -412,4 +421,23 @@ public static function getVersion(ProcessExecutor $process)

return self::$version;
}

private function maskCredentials(string $error, array $credentials)
Copy link
Contributor

@herndlm herndlm Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stumbled over that while adding types for phpstan. $error was added with a PHP 7.0 scalar type declaration here. That is going to make problems, right? @Seldaek
UPDATE: created #10186

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants