Hi, On Thu, 16 May 2019, Jeff King wrote: > On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote: > > > > > On Wed, May 15 2019, Martin Langhoff wrote: > > > > > Spotted this on the internet... > > > > > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/ > > > > > > Haven't hacked on git for a while, and I am not affiliated with any of > > > the stakeholders. However, reading it, I wanted to slam my head on the > > > desk. > > > > > > IIRC, git will sanely store a password elsewhere if it gets to prompt > > > for it. Should we be trying to unpack usernames/passwords from HTTP > > > urls, and DTRT with them? > > > > > > Are there other ways this could be made better? > > > > I think we should do nothing. > > I think so, too. > > But just brainstorming, one thing we _could_ do is issue a warning when > we see a password in a URL and say "hey, what you're doing isn't > fantastic; considering using a credential helper". > > Of course I suspect there are many cases where people _do_ need to store > the password in plaintext, because an automated system needs to fetch > with it. They can use the plaintext git-credential-store, but it's > slightly more hassle. And it doesn't really _solve_ the problem (though > perhaps it would be harder to accidentally expose it with your web > server!). One thing that we actually *could* do here is to anonymize the URLs stored under remote.origin.url when cloning. In no other circumstance that I can think of do we take an URL from some command-line parameter that is not *explicitly* intended for storing in the config. Combined with that warning "You cloned via a URL that contains credentials; for security reasons, the credentials were scrubbed before storing this in your Git config. Please consider using a credential manager instead of storing secrets in your Git config." this should provide a reasonable compromise. Judging from looking at my own automated jobs, it does not appear that you would *ever* need to store such credentials in the Git config, anyway. If you need to, say, push to a repository, you can always store the full URL (or the credentials) in a secret variable. Ciao, Dscho
