credential: sanitize the user prompt · freshlybakedca.ke/git@7725b81

Git fork

credential: sanitize the user prompt

When asking the user interactively for credentials, we want to avoid
misleading them e.g. via control sequences that pretend that the URL
targets a trusted host when it does not.

While Git learned, over the course of the preceding commits, to disallow
URLs containing URL-encoded control characters by default, credential
helpers are still allowed to specify values very freely (apart from Line
Feed and NUL characters, anything is allowed), and this would allow,
say, a username containing control characters to be specified that would
then be displayed in the interactive terminal prompt asking the user for
the password, potentially sending those control characters directly to
the terminal. This is undesirable because control characters can be used
to mislead users to divulge secret information to untrusted sites.

To prevent such an attack vector, let's add a `git_prompt()` that forces
the displayed text to be sanitized, i.e. displaying question marks
instead of control characters.

Note: While this commit's diff changes a lot of `user@host` strings to
`user%40host`, which may look suspicious on the surface, there is a good
reason for that: this string specifies a user name, not a
<username>@<hostname> combination! In the context of t5541, the actual
combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these
string replacements document a net improvement introduced by this
commit, as `user@host@127.0.0.1` could have left readers wondering where
the user name ends and where the host name begins.

Hinted-at-by: Jeff King <peff@peff.net>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Johannes Schindelin 1 year ago 7725b810 c903985b

+53 -20

7 changed files

expand all

unified split

Documentation

config

credential.txt

credential.c

credential.h

t0300-credentials.sh

t5541-http-push-smart.sh

t5550-http-fetch-dumb.sh

t5551-http-fetch-smart.sh

Documentation/config/credential.txt

··· 14 14 or https URL to be important. Defaults to false. See 15 15 linkgit:gitcredentials[7] for more information. 16 16 17 + credential.sanitizePrompt:: 18 + By default, user names and hosts that are shown as part of the 19 + password prompt are not allowed to contain control characters (they 20 + will be URL-encoded by default). Configure this setting to `false` to 21 + override that behavior. 22 + 17 23 credential.username:: 18 24 If no username is set for a network authentication, use this username 19 25 by default. See credential.<context>.* below, and

+6 -1

credential.c

··· 67 67 } 68 68 else if (!strcmp(key, "usehttppath")) 69 69 c->use_http_path = git_config_bool(var, value); 70 + else if (!strcmp(key, "sanitizeprompt")) 71 + c->sanitize_prompt = git_config_bool(var, value); 70 72 71 73 return 0; 72 74 } ··· 179 181 struct strbuf prompt = STRBUF_INIT; 180 182 char *r; 181 183 182 - credential_describe(c, &desc); 184 + if (c->sanitize_prompt) 185 + credential_format(c, &desc); 186 + else 187 + credential_describe(c, &desc); 183 188 if (desc.len) 184 189 strbuf_addf(&prompt, "%s for '%s': ", what, desc.buf); 185 190 else

+3 -1

credential.h

··· 119 119 configured:1, 120 120 quit:1, 121 121 use_http_path:1, 122 - username_from_proto:1; 122 + username_from_proto:1, 123 + sanitize_prompt:1; 123 124 124 125 char *username; 125 126 char *password; ··· 132 133 #define CREDENTIAL_INIT { \ 133 134 .helpers = STRING_LIST_INIT_DUP, \ 134 135 .password_expiry_utc = TIME_MAX, \ 136 + .sanitize_prompt = 1, \ 135 137 } 136 138 137 139 /* Initialize a credential structure, setting all fields to empty. */

+20

t/t0300-credentials.sh

··· 45 45 test -z "$pexpiry" || echo password_expiry_utc=$pexpiry 46 46 EOF 47 47 48 + write_script git-credential-cntrl-in-username <<-\EOF && 49 + printf "username=\\007latrix Lestrange\\n" 50 + EOF 51 + 48 52 PATH="$PWD:$PATH" 49 53 ' 50 54 ··· 823 827 -c credential.with%0anewline.username=uh-oh \ 824 828 credential fill <stdin >stdout 2>stderr && 825 829 test_i18ngrep "skipping credential lookup for key" stderr 830 + ' 831 + 832 + BEL="$(printf '\007')" 833 + 834 + test_expect_success 'interactive prompt is sanitized' ' 835 + check fill cntrl-in-username <<-EOF 836 + protocol=https 837 + host=example.org 838 + -- 839 + protocol=https 840 + host=example.org 841 + username=${BEL}latrix Lestrange 842 + password=askpass-password 843 + -- 844 + askpass: Password for ${SQ}https://%07latrix%20Lestrange@example.org${SQ}: 845 + EOF 826 846 ' 827 847 828 848 test_done

+3 -3

t/t5541-http-push-smart.sh

··· 351 351 git push "$HTTPD_URL"/auth/smart/test_repo.git && 352 352 git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \ 353 353 log -1 --format=%s >actual && 354 - expect_askpass both user@host && 354 + expect_askpass both user%40host && 355 355 test_cmp expect actual 356 356 ' 357 357 ··· 363 363 git push "$HTTPD_URL"/auth-push/smart/test_repo.git && 364 364 git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git" \ 365 365 log -1 --format=%s >actual && 366 - expect_askpass both user@host && 366 + expect_askpass both user%40host && 367 367 test_cmp expect actual 368 368 ' 369 369 ··· 393 393 git push "$HTTPD_URL/half-auth-complete/smart/half-auth.git" && 394 394 git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/half-auth.git" \ 395 395 log -1 --format=%s >actual && 396 - expect_askpass both user@host && 396 + expect_askpass both user%40host && 397 397 test_cmp expect actual 398 398 ' 399 399

+7 -7

t/t5550-http-fetch-dumb.sh

··· 90 90 test_expect_success 'http auth can use just user in URL' ' 91 91 set_askpass wrong pass@host && 92 92 git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-pass && 93 - expect_askpass pass user@host 93 + expect_askpass pass user%40host 94 94 ' 95 95 96 96 test_expect_success 'http auth can request both user and pass' ' 97 97 set_askpass user@host pass@host && 98 98 git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-both && 99 - expect_askpass both user@host 99 + expect_askpass both user%40host 100 100 ' 101 101 102 102 test_expect_success 'http auth respects credential helper config' ' ··· 114 114 test_config_global "credential.$HTTPD_URL.username" user@host && 115 115 set_askpass wrong pass@host && 116 116 git clone "$HTTPD_URL/auth/dumb/repo.git" clone-auth-user && 117 - expect_askpass pass user@host 117 + expect_askpass pass user%40host 118 118 ' 119 119 120 120 test_expect_success 'configured username does not override URL' ' 121 121 test_config_global "credential.$HTTPD_URL.username" wrong && 122 122 set_askpass wrong pass@host && 123 123 git clone "$HTTPD_URL_USER/auth/dumb/repo.git" clone-auth-user2 && 124 - expect_askpass pass user@host 124 + expect_askpass pass user%40host 125 125 ' 126 126 127 127 test_expect_success 'set up repo with http submodules' ' ··· 142 142 set_askpass wrong pass@host && 143 143 git -c "credential.$HTTPD_URL.username=user@host" \ 144 144 clone --recursive super super-clone && 145 - expect_askpass pass user@host 145 + expect_askpass pass user%40host 146 146 ' 147 147 148 148 test_expect_success 'cmdline credential config passes submodule via fetch' ' ··· 153 153 git -C super-clone \ 154 154 -c "credential.$HTTPD_URL.username=user@host" \ 155 155 fetch --recurse-submodules && 156 - expect_askpass pass user@host 156 + expect_askpass pass user%40host 157 157 ' 158 158 159 159 test_expect_success 'cmdline credential config passes submodule update' ' ··· 170 170 git -C super-clone \ 171 171 -c "credential.$HTTPD_URL.username=user@host" \ 172 172 submodule update && 173 - expect_askpass pass user@host 173 + expect_askpass pass user%40host 174 174 ' 175 175 176 176 test_expect_success 'fetch changes via http' '

+8 -8

t/t5551-http-fetch-smart.sh

··· 181 181 echo two >expect && 182 182 set_askpass user@host pass@host && 183 183 git clone --bare "$HTTPD_URL/auth/smart/repo.git" smart-auth && 184 - expect_askpass both user@host && 184 + expect_askpass both user%40host && 185 185 git --git-dir=smart-auth log -1 --format=%s >actual && 186 186 test_cmp expect actual 187 187 ' ··· 199 199 echo two >expect && 200 200 set_askpass user@host pass@host && 201 201 git clone --bare "$HTTPD_URL/auth-fetch/smart/repo.git" half-auth && 202 - expect_askpass both user@host && 202 + expect_askpass both user%40host && 203 203 git --git-dir=half-auth log -1 --format=%s >actual && 204 204 test_cmp expect actual 205 205 ' ··· 224 224 set_askpass user@host pass@host && 225 225 git -c credential.useHttpPath=true \ 226 226 clone $HTTPD_URL/smart-redir-auth/repo.git repo-redir-auth && 227 - expect_askpass both user@host auth/smart/repo.git 227 + expect_askpass both user%40host auth/smart/repo.git 228 228 ' 229 229 230 230 test_expect_success 'GIT_TRACE_CURL redacts auth details' ' 231 231 rm -rf redact-auth trace && 232 232 set_askpass user@host pass@host && 233 233 GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && 234 - expect_askpass both user@host && 234 + expect_askpass both user%40host && 235 235 236 236 # Ensure that there is no "Basic" followed by a base64 string, but that 237 237 # the auth details are redacted ··· 243 243 rm -rf redact-auth trace && 244 244 set_askpass user@host pass@host && 245 245 GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace && 246 - expect_askpass both user@host && 246 + expect_askpass both user%40host && 247 247 248 248 # Ensure that there is no "Basic" followed by a base64 string, but that 249 249 # the auth details are redacted ··· 256 256 set_askpass user@host pass@host && 257 257 GIT_TRACE_REDACT=0 GIT_TRACE_CURL="$(pwd)/trace" \ 258 258 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && 259 - expect_askpass both user@host && 259 + expect_askpass both user%40host && 260 260 261 261 grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace 262 262 ' ··· 568 568 # the first request prompts the user... 569 569 set_askpass user@host pass@host && 570 570 git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null && 571 - expect_askpass both user@host && 571 + expect_askpass both user%40host && 572 572 573 573 # ...and the second one uses the stored value rather than 574 574 # prompting the user. ··· 599 599 # us to prompt the user again. 600 600 set_askpass user@host pass@host && 601 601 git ls-remote "$HTTPD_URL/auth/smart/repo.git" >/dev/null && 602 - expect_askpass both user@host 602 + expect_askpass both user%40host 603 603 ' 604 604 605 605 test_expect_success 'client falls back from v2 to v0 to match server' '