Bug #5623
openCredentials for remote repository URL leaking in Repository Header
0%
Description
Credentials for remote repertoires are asterisked out in the Remote pull uri field under Repository Settings > Remote Sync. Nice!
However, they are displayed in plain text below the Repository heading, to all users, regardless of role. Please see attached screenshot.
I'm currently running RhodeCode EE 4.19.1.
I would request that they be obfuscated here as well, and would suggest that the clone URL does not need to be a link. Or, could just be a link to the root repository URL, without the credentials.
Files
Updated by Marcin Kuzminski [CTO] over 4 years ago
Hi Fletcher,
We're unable to reproduce this issue. Looking at the code the clone from URL, is wrapped around hide-credentials helper, and should remove username/password from this field.
Are you sure you're on 4.19.X rhodecode edition?
Updated by Marcin Kuzminski [CTO] over 4 years ago
- Status changed from New to In Progress
Updated by Fletcher Johnston over 4 years ago
- File rhodecode version.jpg rhodecode version.jpg added
- File repo credentials.jpg repo credentials.jpg added
Hi Marcin,
I deleted my original test repository, and recreated it and was able to reproduce the issue. I'm running RhodeCode EE 4.19.3 (see attached screenshot).
I've attached a screenshot of my settings page, and of the leaking credentials (I set up the same repo that I used for the original screenshot). Note that I did use my browser inspector to remove some personal info from the screenshot.
This is an HG repo.
The exact steps I followed to reproduce this:
- Press the + button in the nav, and create a New Repository in This Repository Group
- Enter a name in the Repository Name field
- Click the "Import Existing Repository?" link under the Repository Name field
- Enter repository URL with credentials: https://user@company.com:password@vcsProvider.com/Test-Repo
- Ensure that HG is selected as the repo type
- Press "Create Repository" button.
The repo is created successfully, and the credentials are visible in the repo header as in my screenshots.
Please let me know if there is any other information I can provide to help track this down.
Updated by Marcin Kuzminski [CTO] over 4 years ago
Ahh we now see what the problem is...
The hide credentials helper has a problem with double @, it expects username to be without the @.
We're going to fix this, thank you for detailed steps to reproduce this.
Updated by Fletcher Johnston over 4 years ago
Marcin,
I'm glad to be able to help. Rhodecode is a fantastic product that my entire team loves. Please pass our compliments along to your team and keep up the great work.
Updated by Redmine Integration over 4 years ago
- Status changed from In Progress to Resolved
Commit 326ccc76da59
by Marcin Lulek mlulek@rhodecode.com on stable
branch changed this issue.
https://code.rhodecode.com/rhodecode-enterprise-ce/changeset/326ccc76da59ebb233348222c9b85334c3803997