Skip to content

Commit c29fbc6

Browse files
lunnywxiaoguangzeripath
authored
Hide sensitive content on admin panel progress monitor (#19218)
Sanitize urls within git process descriptions. Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: Andrew Thornton <[email protected]>
1 parent 41b60d9 commit c29fbc6

File tree

4 files changed

+50
-4
lines changed

4 files changed

+50
-4
lines changed

modules/git/command.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717

1818
"code.gitea.io/gitea/modules/log"
1919
"code.gitea.io/gitea/modules/process"
20+
"code.gitea.io/gitea/modules/util"
2021
)
2122

2223
var (
@@ -142,7 +143,21 @@ func (c *Command) RunWithContext(rc *RunContext) error {
142143

143144
desc := c.desc
144145
if desc == "" {
145-
desc = fmt.Sprintf("%s %s [repo_path: %s]", c.name, strings.Join(c.args[c.globalArgsLength:], " "), rc.Dir)
146+
args := c.args[c.globalArgsLength:]
147+
var argSensitiveURLIndexes []int
148+
for i, arg := range c.args {
149+
if strings.Contains(arg, "://") && strings.Contains(arg, "@") {
150+
argSensitiveURLIndexes = append(argSensitiveURLIndexes, i)
151+
}
152+
}
153+
if len(argSensitiveURLIndexes) > 0 {
154+
args = make([]string, len(c.args))
155+
copy(args, c.args)
156+
for _, urlArgIndex := range argSensitiveURLIndexes {
157+
args[urlArgIndex] = util.NewStringURLSanitizer(args[urlArgIndex], true).Replace(args[urlArgIndex])
158+
}
159+
}
160+
desc = fmt.Sprintf("%s %s [repo_path: %s]", c.name, strings.Join(args, " "), rc.Dir)
146161
}
147162

148163
ctx, cancel, finished := process.GetManager().AddContextTimeout(c.parentContext, rc.Timeout, desc)

modules/git/repo.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ import (
1919
"time"
2020

2121
"code.gitea.io/gitea/modules/proxy"
22+
"code.gitea.io/gitea/modules/util"
2223
)
2324

2425
// GPGSettings represents the default GPG settings for this repository
@@ -154,6 +155,12 @@ func CloneWithArgs(ctx context.Context, from, to string, args []string, opts Clo
154155
}
155156
cmd.AddArguments("--", from, to)
156157

158+
if strings.Contains(from, "://") && strings.Contains(from, "@") {
159+
cmd.SetDescription(fmt.Sprintf("clone branch %s from %s to %s (shared: %t, mirror: %t, depth: %d)", opts.Branch, util.NewStringURLSanitizer(from, true).Replace(from), to, opts.Shared, opts.Mirror, opts.Depth))
160+
} else {
161+
cmd.SetDescription(fmt.Sprintf("clone branch %s from %s to %s (shared: %t, mirror: %t, depth: %d)", opts.Branch, from, to, opts.Shared, opts.Mirror, opts.Depth))
162+
}
163+
157164
if opts.Timeout <= 0 {
158165
opts.Timeout = -1
159166
}
@@ -201,6 +208,11 @@ func Push(ctx context.Context, repoPath string, opts PushOptions) error {
201208
if len(opts.Branch) > 0 {
202209
cmd.AddArguments(opts.Branch)
203210
}
211+
if strings.Contains(opts.Remote, "://") && strings.Contains(opts.Remote, "@") {
212+
cmd.SetDescription(fmt.Sprintf("push branch %s to %s (force: %t, mirror: %t)", opts.Branch, util.NewStringURLSanitizer(opts.Remote, true).Replace(opts.Remote), opts.Force, opts.Mirror))
213+
} else {
214+
cmd.SetDescription(fmt.Sprintf("push branch %s to %s (force: %t, mirror: %t)", opts.Branch, opts.Remote, opts.Force, opts.Mirror))
215+
}
204216
var outbuf, errbuf strings.Builder
205217

206218
if opts.Timeout == 0 {

services/mirror/mirror_pull.go

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,13 @@ func UpdateAddress(ctx context.Context, m *repo_model.Mirror, addr string) error
3838
return err
3939
}
4040

41-
_, err = git.NewCommand(ctx, "remote", "add", remoteName, "--mirror=fetch", addr).RunInDir(repoPath)
41+
cmd := git.NewCommand(ctx, "remote", "add", remoteName, "--mirror=fetch", addr)
42+
if strings.Contains(addr, "://") && strings.Contains(addr, "@") {
43+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, util.NewStringURLSanitizer(addr, true).Replace(addr), repoPath))
44+
} else {
45+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, addr, repoPath))
46+
}
47+
_, err = cmd.RunInDir(repoPath)
4248
if err != nil && !strings.HasPrefix(err.Error(), "exit status 128 - fatal: No such remote ") {
4349
return err
4450
}
@@ -52,7 +58,13 @@ func UpdateAddress(ctx context.Context, m *repo_model.Mirror, addr string) error
5258
return err
5359
}
5460

55-
_, err = git.NewCommand(ctx, "remote", "add", remoteName, "--mirror=fetch", wikiRemotePath).RunInDir(wikiPath)
61+
cmd = git.NewCommand(ctx, "remote", "add", remoteName, "--mirror=fetch", wikiRemotePath)
62+
if strings.Contains(wikiRemotePath, "://") && strings.Contains(wikiRemotePath, "@") {
63+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, util.NewStringURLSanitizer(wikiRemotePath, true).Replace(wikiRemotePath), wikiPath))
64+
} else {
65+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=fetch %s [repo_path: %s]", remoteName, wikiRemotePath, wikiPath))
66+
}
67+
_, err = cmd.RunInDir(wikiPath)
5668
if err != nil && !strings.HasPrefix(err.Error(), "exit status 128 - fatal: No such remote ") {
5769
return err
5870
}

services/mirror/mirror_push.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"fmt"
1111
"io"
1212
"regexp"
13+
"strings"
1314
"time"
1415

1516
repo_model "code.gitea.io/gitea/models/repo"
@@ -28,7 +29,13 @@ var stripExitStatus = regexp.MustCompile(`exit status \d+ - `)
2829
// AddPushMirrorRemote registers the push mirror remote.
2930
func AddPushMirrorRemote(ctx context.Context, m *repo_model.PushMirror, addr string) error {
3031
addRemoteAndConfig := func(addr, path string) error {
31-
if _, err := git.NewCommand(ctx, "remote", "add", "--mirror=push", m.RemoteName, addr).RunInDir(path); err != nil {
32+
cmd := git.NewCommand(ctx, "remote", "add", "--mirror=push", m.RemoteName, addr)
33+
if strings.Contains(addr, "://") && strings.Contains(addr, "@") {
34+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=push %s [repo_path: %s]", m.RemoteName, util.NewStringURLSanitizer(addr, true).Replace(addr), path))
35+
} else {
36+
cmd.SetDescription(fmt.Sprintf("remote add %s --mirror=push %s [repo_path: %s]", m.RemoteName, addr, path))
37+
}
38+
if _, err := cmd.RunInDir(path); err != nil {
3239
return err
3340
}
3441
if _, err := git.NewCommand(ctx, "config", "--add", "remote."+m.RemoteName+".push", "+refs/heads/*:refs/heads/*").RunInDir(path); err != nil {

0 commit comments

Comments
 (0)