Hello everyone, I have an issue with git credential-store. In my global configuration dir (.config/git/config) I had the line [credential] helper = store while ini a repository's .git/config while I have [credential] helper = "store --file=./.git/git-credentials" to store credentials "locally". I thought the latter would overrule the former However what happens is the following: 1) On first run the file repo-local file ./.git/git-credentials gets created and the credentials are saved there after the user is queried for a password 2) On subsequent runs the credentials get recovered from ./.git/git-credentials and the user is NOT asked for credentials 2b) **Here is the weird behavior** git ALSO creates the .git-credentials file in the home directory and saves a copy of credentials there. The behavior 2b leads to exfiltration of passwords to a location a user might not expect. Workaround: Remove the line [credential] helper = store in the global config. It seems that the global config somehow does not get shadowed by the local one! I think this is a bug with mild security implications. Let me know. Best, Gennady -- Gennady Uraltsev <gennady.uraltsev@xxxxxxxxx> (https://guraltsev.github.io)
