repository: Fix clone credentials leaking via command line arguments
On Linux sysetms, users can by default observe all command line
arguments of processes that may not even be owned by the same user by
inspecting /proc/${PID}/cmdline
. This means that we mustn't ever put
any credentials in command line arguments given that unprivileged users
can easily sniff them out. Instead, we typically use the environment to
place credentials, which by default is not readable by any other users.
While we do this in most cases, we don't in CreateRepositoryFromURL()
.
This RPC uses cloneFromURLCommand()
, which seemingly knows that it's
bad to put credentials on the command line and thus strips them from the
URL already. But afterwards it goes out of its way to put them on the
command line anyway by creating a set of http.extraHeader
config
options that are passed to git-clone(1) via the -c
switch.
Fix this by using git.WithConfigEnv()
instead of git.WithConfig()
,
which puts the credentials into the environment instead of the command
line.
Originally I only wanted to create this MR to fix test flakes caused by leaking processes, see e.g. https://gitlab.com/gitlab-org/gitaly/-/jobs/2647568573. But that also led me to discover this leak of credentials via the command line, so I'm fixing both things in the same MR.