Bug #5623
open
Credentials for remote repository URL leaking in Repository Header
Added by Fletcher Johnston over 4 years ago.
Updated over 4 years ago.
Description
Credentials for remote repertoires are asterisked out in the Remote pull uri field under Repository Settings > Remote Sync. Nice!
However, they are displayed in plain text below the Repository heading, to all users, regardless of role. Please see attached screenshot.
I'm currently running RhodeCode EE 4.19.1.
I would request that they be obfuscated here as well, and would suggest that the clone URL does not need to be a link. Or, could just be a link to the root repository URL, without the credentials.
Files
Hi Fletcher,
We're unable to reproduce this issue. Looking at the code the clone from URL, is wrapped around hide-credentials helper, and should remove username/password from this field.
Are you sure you're on 4.19.X rhodecode edition?
- Status changed from New to In Progress
Hi Marcin,
I deleted my original test repository, and recreated it and was able to reproduce the issue. I'm running RhodeCode EE 4.19.3 (see attached screenshot).
I've attached a screenshot of my settings page, and of the leaking credentials (I set up the same repo that I used for the original screenshot). Note that I did use my browser inspector to remove some personal info from the screenshot.
This is an HG repo.
The exact steps I followed to reproduce this:
- Press the + button in the nav, and create a New Repository in This Repository Group
- Enter a name in the Repository Name field
- Click the "Import Existing Repository?" link under the Repository Name field
- Enter repository URL with credentials: https://user@company.com:password@vcsProvider.com/Test-Repo
- Ensure that HG is selected as the repo type
- Press "Create Repository" button.
The repo is created successfully, and the credentials are visible in the repo header as in my screenshots.
Please let me know if there is any other information I can provide to help track this down.
Ahh we now see what the problem is...
The hide credentials helper has a problem with double @, it expects username to be without the @.
We're going to fix this, thank you for detailed steps to reproduce this.
Marcin,
I'm glad to be able to help. Rhodecode is a fantastic product that my entire team loves. Please pass our compliments along to your team and keep up the great work.
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
