Credentials in Repository Settings for Pull requests are exposed
The Pull URL is hidden where specified on the settings screen. However on the Remote Sync screen, the URL is masked, but clearly visible when hovering the cursor over the masked URL, as well as obviously being visible in the page source. Makes the masking a little pointless, unless the idea is to avoid the person reading over your shoulder?!
Updated by Marcin Kuzminski [CTO] almost 2 years ago
This isn't a mistake then. The visible part is hidden from someone seeing it on the screen. The url has credentials on it (and some browsers show it, some not) so users are able to click on the URL and access it fully with the credentials.
That being said we'll discuss this again security-wise. Clearly that's convenience over security and this can be done better here.
Updated by Andrew Mould almost 2 years ago
Agreed. But all browsers will allow viewing the underlying html source, which obviously also contains the credentials in the link... if people think to look there.
To my mind the link is not needed to be shown there at all. All that's needed is the button "Pull changes from remote location", which doesn't need any credentials in it.
It all depends on what your goal is here, which I can't speak to. To me it was just an inconsistency, so I thought it should get a second look to make sure it was achieving what you were intending.