Project

General

Profile

Bug #5623

Credentials for remote repository URL leaking in Repository Header

Added by Fletcher Johnston 4 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
16.06.2020
Due date:
% Done:

0%

Estimated time:
Sorting:
Commit Number:
Affected Version:

Description

Credentials for remote repertoires are asterisked out in the Remote pull uri field under Repository Settings > Remote Sync. Nice!
However, they are displayed in plain text below the Repository heading, to all users, regardless of role. Please see attached screenshot.

I'm currently running RhodeCode EE 4.19.1.

I would request that they be obfuscated here as well, and would suggest that the clone URL does not need to be a link. Or, could just be a link to the root repository URL, without the credentials.

Credentials.jpg (91.7 KB) Credentials.jpg Fletcher Johnston, 16.06.2020 21:10
rhodecode version.jpg (13.7 KB) rhodecode version.jpg Fletcher Johnston, 22.06.2020 13:30
repo credentials.jpg (76.7 KB) repo credentials.jpg Fletcher Johnston, 22.06.2020 13:33
3079
3080
3081

History

#1 Updated by Marcin Kuzminski [CTO] 3 months ago

Hi Fletcher,

We're unable to reproduce this issue. Looking at the code the clone from URL, is wrapped around hide-credentials helper, and should remove username/password from this field.
Are you sure you're on 4.19.X rhodecode edition?

#2 Updated by Marcin Kuzminski [CTO] 3 months ago

  • Status changed from New to In Progress

#3 Updated by Fletcher Johnston 3 months ago

3080
3081

Hi Marcin,

I deleted my original test repository, and recreated it and was able to reproduce the issue. I'm running RhodeCode EE 4.19.3 (see attached screenshot).

I've attached a screenshot of my settings page, and of the leaking credentials (I set up the same repo that I used for the original screenshot). Note that I did use my browser inspector to remove some personal info from the screenshot.

This is an HG repo.

The exact steps I followed to reproduce this:

  1. Press the + button in the nav, and create a New Repository in This Repository Group
  2. Enter a name in the Repository Name field
  3. Click the "Import Existing Repository?" link under the Repository Name field
  4. Enter repository URL with credentials: https://user@company.com:password@vcsProvider.com/Test-Repo
  5. Ensure that HG is selected as the repo type
  6. Press "Create Repository" button.

The repo is created successfully, and the credentials are visible in the repo header as in my screenshots.

Please let me know if there is any other information I can provide to help track this down.

#4 Updated by Marcin Kuzminski [CTO] 3 months ago

Ahh we now see what the problem is...

The hide credentials helper has a problem with double @, it expects username to be without the @.

We're going to fix this, thank you for detailed steps to reproduce this.

#5 Updated by Fletcher Johnston 3 months ago

Marcin,

I'm glad to be able to help. Rhodecode is a fantastic product that my entire team loves. Please pass our compliments along to your team and keep up the great work.

#6 Updated by Redmine Integration 2 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF