repository: Fix clone credentials leaking via command line arguments (!4668) · Merge requests · GitLab.org / gitaly

Patrick Steinhardt requested to merge pks-create-repo-from-url-leaking-credentials into master Jun 28, 2022

On Linux sysetms, users can by default observe all command line arguments of processes that may not even be owned by the same user by inspecting /proc/${PID}/cmdline. This means that we mustn't ever put any credentials in command line arguments given that unprivileged users can easily sniff them out. Instead, we typically use the environment to place credentials, which by default is not readable by any other users.

While we do this in most cases, we don't in CreateRepositoryFromURL(). This RPC uses cloneFromURLCommand(), which seemingly knows that it's bad to put credentials on the command line and thus strips them from the URL already. But afterwards it goes out of its way to put them on the command line anyway by creating a set of http.extraHeader config options that are passed to git-clone(1) via the -c switch.

Fix this by using git.WithConfigEnv() instead of git.WithConfig(), which puts the credentials into the environment instead of the command line.

Originally I only wanted to create this MR to fix test flakes caused by leaking processes, see e.g. https://gitlab.com/gitlab-org/gitaly/-/jobs/2647568573. But that also led me to discover this leak of credentials via the command line, so I'm fixing both things in the same MR.

repository: Fix clone credentials leaking via command line arguments

Merge request reports