On 2025-01-10 at 21:32:44, Junio C Hamano wrote: > M Hickford <mirth.hickford@xxxxxxxxx> writes: > > > It would be neat to warn similarly if the user includes a personal access token in the *user* field of the remote URL: > > > > git clone https://<pat>@github.com/... > > > > This is a popular practice according to StackOverflow > > https://stackoverflow.com/a/70320541/284795 (800k views). > > > > GitHub personal access tokens are easily recognised by their > > prefixes "ghp_" and "github_pat_" There are also other prefixes as well. > Curious. I do not think we have *any* code to special case such a > "token", so to Git itself, https://<pat>@github.com/... should look > as it (assuming <pat> does not have any colon in it) is trying to > access the site with <pat> as the username. That is accurate. GitHub has accepted a token in the username for some time (at least since 2019, and probably longer) for reasons which are unknown to me. From a security perspective, I would recommend users not do so, since many tools log the username and not the password[0], but it's almost certainly too late to change it now. I can mention it, but even if there was a decision to drop that, it would require a long deprecation period. > How do we _know_ that this request with <pat> do not need a > password? I ask because I'd prefer not to see us hardcoding any > hosting-site specific heuristics in the code, and these users > apparently are doing fine without any such hardcoding. If we can > reuse the mechanism that is letting them do so when deciding if we > should warn, it would be great. I don't think in general we can know whether a credential is just a plain username or a token without trying to guess based on the content. For instance, before `http.emptyAuth`, it was common if one was using Kerberos to put one's username in the URL because that triggered libcurl to do authentication, whereas it would not if no credentials were specified. I still have that configured, and I bet a lot of others do as well. It's also common for people with both work and personal accounts on a site to put the username in the URL so that the correct credentials are looked up in the credential helper. And all of that is fine and secure since there are no actual secrets in the username in those cases. So there are lots of legitimate reasons to place only a username there, and we'd only be able to know if it's actually a token by hard-coding patterns. I would recommend that we not do that, since I can't guarantee that the list of patterns won't expand in the future (it already has before), and there are still some older hex-only patterns which may be in use and which are much less obvious. > Are users expected to configure their credential helpers know that > it is a <pat> (perhaps with authtype=Bearer)? No, this is Basic auth. It's just that GitHub will look at either the username or password field for the token. [0] The two systems at GitHub which handle these credentials (the Git service and the Git auth service) are designed to recognize tokens in the username and obscure them instead of logging them. Pretty much no other tools on the Internet do that, though. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
