Credentials for remote repository URL leaking in Repository Header
Credentials for remote repertoires are asterisked out in the Remote pull uri field under Repository Settings > Remote Sync. Nice!
However, they are displayed in plain text below the Repository heading, to all users, regardless of role. Please see attached screenshot.
I'm currently running RhodeCode EE 4.19.1.
I would request that they be obfuscated here as well, and would suggest that the clone URL does not need to be a link. Or, could just be a link to the root repository URL, without the credentials.
#3 Updated by Fletcher Johnston 10 days ago
- File repo credentials.jpg repo credentials.jpg added
- File rhodecode version.jpg rhodecode version.jpg added
I deleted my original test repository, and recreated it and was able to reproduce the issue. I'm running RhodeCode EE 4.19.3 (see attached screenshot).
I've attached a screenshot of my settings page, and of the leaking credentials (I set up the same repo that I used for the original screenshot). Note that I did use my browser inspector to remove some personal info from the screenshot.
This is an HG repo.
The exact steps I followed to reproduce this:
- Press the + button in the nav, and create a New Repository in This Repository Group
- Enter a name in the Repository Name field
- Click the "Import Existing Repository?" link under the Repository Name field
- Enter repository URL with credentials: https://email@example.com:password@vcsProvider.com/Test-Repo
- Ensure that HG is selected as the repo type
- Press "Create Repository" button.
The repo is created successfully, and the credentials are visible in the repo header as in my screenshots.
Please let me know if there is any other information I can provide to help track this down.