Skip to content

Github token is leaked when used as a part of remote URL #1284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
0xnm opened this issue Jul 5, 2021 · 6 comments · Fixed by #1437
Closed

Github token is leaked when used as a part of remote URL #1284

0xnm opened this issue Jul 5, 2021 · 6 comments · Fixed by #1437
Labels
acknowledged help wanted
Milestone
v3.1.28 - Bugfixes

Comments

@0xnm
Copy link

0xnm commented Jul 5, 2021
edited
Loading

Github allows usage of personal access tokens with remote URLs in the format:

https://<token>@github.com/owner/repo.git

or

https://<token>:x-oauth-basic@github.com/owner/repo.git

If such URL is used with Remote, if some error related to the access happens, it (in the example below token is foobar) can be leaked via exception message, like the following:

Traceback (most recent call last):
  File "start.py", line 119, in <module>
    sys.exit(run_main())
    ...
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git push --set-upstream --force ....
  stderr: 'remote: some error.
fatal: unable to access 'https://foobar:x-oauth-basic@github.com/FooBarCorp/some-repo/': The requested URL returned error: 403'

It would be nice to have internal mechanism to prevent such leakage.
@Byron
Copy link
Member

Byron commented Jul 6, 2021

Thanks for reporting.

That's interesting because passwords are already removed from URLs, at least supposedly so.

Which version of GitPython are you using? In case it's not the latest one, is the issue still reproducible with the most recent one?

@0xnm
Copy link
Author

0xnm commented Jul 6, 2021

Hello @Byron. I'm using version 3.1.11, but by looking on

GitPython/git/util.py

Line 404 in 0a6d9d6

def remove_password_if_present(cmdline):
I guess it will still be reproducible, because it takes care only about url.password part, while in the URL which Github is using, token is located at the username part, here is a run proof https://onecompiler.com/python/3x4mtarsc

@Byron
Copy link
Member

Byron commented Jul 6, 2021

Thanks a lot for following up so quickly. I see that even though more recent version of GitPython do better, they are still not equipped to hide all secrets.
What do you think about boosting the current implementation to the point where it considers usernames (or github tokens by extension) potentially PII and thus should hide them too. The existing test could probably be adjusted to do that.

@0xnm
Copy link
Author

0xnm commented Jul 6, 2021

I would agree that usernames can be considered as sensitive info as well and it is better to remove it (threat actor may collect user names by grabbing the logs and it will the simplify bruteforce attacks). Although it may be needed for the debugging, but I guess users can check the username they use in the URL before passing it to GitPython in their debug scenario.

@torbsorb
Copy link

From Github: "Support for password authentication was removed on August 13, 2021. Please use a personal access token instead."
What are the actual implications of not removing the token from the URL, as is the case with the current version of Gitpython? Since this is over HTTPS, what is actually easily available for a malicious actor? We have a use-case for this but are hesitant about using Gitpython for this reason. The intention is to push a branch based on generated changes in CI. We have to use a token, based on Github's move. Are there any good alternatives (besides Github action plugins)?

@Byron
Copy link
Member

Byron commented Jan 31, 2022

Since this is over HTTPS, what is actually easily available for a malicious actor?

GitPython can leak the username to a log due to the username not being obfuscated when producing an exception. Tokens are passed as extra header fields which GitPython doesn't actually know about. They would be handled by a git credentials helper program which might or might not work if git is invoked through GitPython.

@glennmatthews glennmatthews mentioned this issue May 4, 2022
Merged
@Byron Byron added this to the v3.1.28 - Bugfixes milestone May 5, 2022
rdbisme pushed a commit to rdbisme/GitPython that referenced this issue May 18, 2022
@glennmatthews
Fix gitpython-developers#1284: strip usernames from URLs as well as p…
e70a54c 
…asswords
@bryanculver bryanculver mentioned this issue May 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged help wanted
Milestone
v3.1.28 - Bugfixes
Development

Successfully merging a pull request may close this issue.

Strip usernames from URLs as well as passwords
3 participants
@Byron @torbsorb @0xnm