Remove user credentials specified in the Git origin URL (#1494)

## Changes
We set the origin URL as metadata in any jobs created by DABs. This PR
makes sure user credentials do not leak into the set metadata in the
job.
 
## Tests
Unit test

---------

Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com>
This commit is contained in:
shreyas-goenka 2024-06-17 15:19:00 +05:30 committed by GitHub
parent 44e3928d6a
commit ac6b80ed88
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 1 deletions

View File

@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"io/fs"
"net/url"
"path"
"path/filepath"
"strings"
@ -100,7 +101,22 @@ func (r *Repository) LatestCommit() (string, error) {
// return origin url if it's defined, otherwise an empty string
func (r *Repository) OriginUrl() string {
return r.config.variables["remote.origin.url"]
rawUrl := r.config.variables["remote.origin.url"]
// Remove username and password from the URL.
parsedUrl, err := url.Parse(rawUrl)
if err != nil {
// Git supports https URLs and non standard URLs like "ssh://" or "file://".
// Parsing these URLs is not supported by the Go standard library. In case
// of an error, we return the raw URL. This is okay because for ssh URLs
// because passwords cannot be included in the URL.
return rawUrl
}
// Setting User to nil removes the username and password from the URL when
// .String() is called.
// See: https://pkg.go.dev/net/url#URL.String
parsedUrl.User = nil
return parsedUrl.String()
}
// loadConfig loads and combines user specific and repository specific configuration files.

View File

@ -207,3 +207,9 @@ func TestRepositoryGitConfigWhenNotARepo(t *testing.T) {
originUrl := repo.OriginUrl()
assert.Equal(t, "", originUrl)
}
func TestRepositoryOriginUrlRemovesUserCreds(t *testing.T) {
repo := newTestRepository(t)
repo.addOriginUrl("https://username:token@github.com/databricks/foobar.git")
repo.assertOriginUrl("https://github.com/databricks/foobar.git")
}