do not pass cred on command line (#108)

This commit is contained in:
eric sciple 2019-12-12 14:04:04 -05:00 committed by GitHub
parent c170eefc26
commit a6747255bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 10 deletions

23
dist/index.js vendored

@ -5271,11 +5271,24 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
}
function configureAuthToken(git, authToken) {
return __awaiter(this, void 0, void 0, function* () {
// Add extraheader (auth)
const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
core.setSecret(base64Credentials);
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
yield git.config(authConfigKey, authConfigValue);
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const placeholder = `AUTHORIZATION: basic ***`;
yield git.config(authConfigKey, placeholder);
// Determine the basic credential value
const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
core.setSecret(basicCredential);
// Replace the value in the config file
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
let content = (yield fs.promises.readFile(configPath)).toString();
const placeholderIndex = content.indexOf(placeholder);
if (placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(placeholder)) {
throw new Error('Unable to replace auth placeholder in .git/config');
}
content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
yield fs.promises.writeFile(configPath, content);
});
}
function removeGitConfig(git, configKey) {

@ -259,14 +259,34 @@ async function configureAuthToken(
git: IGitCommandManager,
authToken: string
): Promise<void> {
// Add extraheader (auth)
const base64Credentials = Buffer.from(
// Configure a placeholder value. This approach avoids the credential being captured
// by process creation audit events, which are commonly logged. For more information,
// refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
const placeholder = `AUTHORIZATION: basic ***`
await git.config(authConfigKey, placeholder)
// Determine the basic credential value
const basicCredential = Buffer.from(
`x-access-token:${authToken}`,
'utf8'
).toString('base64')
core.setSecret(base64Credentials)
const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
await git.config(authConfigKey, authConfigValue)
core.setSecret(basicCredential)
// Replace the value in the config file
const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
let content = (await fs.promises.readFile(configPath)).toString()
const placeholderIndex = content.indexOf(placeholder)
if (
placeholderIndex < 0 ||
placeholderIndex != content.lastIndexOf(placeholder)
) {
throw new Error('Unable to replace auth placeholder in .git/config')
}
content = content.replace(
placeholder,
`AUTHORIZATION: basic ${basicCredential}`
)
await fs.promises.writeFile(configPath, content)
}
async function removeGitConfig(