From d827903159c3c1677c60e782c9d836c35e076770 Mon Sep 17 00:00:00 2001
From: eric sciple <ericsciple@users.noreply.github.com>
Date: Wed, 11 Dec 2019 22:26:04 -0500
Subject: [PATCH] do not pass cred on command line
---
dist/index.js | 23 ++++++++++++++++++-----
src/git-source-provider.ts | 30 +++++++++++++++++++++++++-----
2 files changed, 43 insertions(+), 10 deletions(-)
diff --git a/dist/index.js b/dist/index.js
index 380d8c3..2ef372e 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -5271,11 +5271,24 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) {
}
function configureAuthToken(git, authToken) {
return __awaiter(this, void 0, void 0, function* () {
- // Add extraheader (auth)
- const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
- core.setSecret(base64Credentials);
- const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`;
- yield git.config(authConfigKey, authConfigValue);
+ // Configure a placeholder value. This approach avoids the credential being captured
+ // by process creation audit events, which are commonly logged. For more information,
+ // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+ const placeholder = `AUTHORIZATION: basic ***`;
+ yield git.config(authConfigKey, placeholder);
+ // Determine the basic credential value
+ const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64');
+ core.setSecret(basicCredential);
+ // Replace the value in the config file
+ const configPath = path.join(git.getWorkingDirectory(), '.git', 'config');
+ let content = (yield fs.promises.readFile(configPath)).toString();
+ const placeholderIndex = content.indexOf(placeholder);
+ if (placeholderIndex < 0 ||
+ placeholderIndex != content.lastIndexOf(placeholder)) {
+ throw new Error('Unable to replace auth placeholder in .git/config');
+ }
+ content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`);
+ yield fs.promises.writeFile(configPath, content);
});
}
function removeGitConfig(git, configKey) {
diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts
index 6b7a9f7..8c7aa15 100644
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -259,14 +259,34 @@ async function configureAuthToken(
git: IGitCommandManager,
authToken: string
): Promise<void> {
- // Add extraheader (auth)
- const base64Credentials = Buffer.from(
+ // Configure a placeholder value. This approach avoids the credential being captured
+ // by process creation audit events, which are commonly logged. For more information,
+ // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+ const placeholder = `AUTHORIZATION: basic ***`
+ await git.config(authConfigKey, placeholder)
+
+ // Determine the basic credential value
+ const basicCredential = Buffer.from(
`x-access-token:${authToken}`,
'utf8'
).toString('base64')
- core.setSecret(base64Credentials)
- const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
- await git.config(authConfigKey, authConfigValue)
+ core.setSecret(basicCredential)
+
+ // Replace the value in the config file
+ const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+ let content = (await fs.promises.readFile(configPath)).toString()
+ const placeholderIndex = content.indexOf(placeholder)
+ if (
+ placeholderIndex < 0 ||
+ placeholderIndex != content.lastIndexOf(placeholder)
+ ) {
+ throw new Error('Unable to replace auth placeholder in .git/config')
+ }
+ content = content.replace(
+ placeholder,
+ `AUTHORIZATION: basic ${basicCredential}`
+ )
+ await fs.promises.writeFile(configPath, content)
}
async function removeGitConfig(