From e312a381ed9fe1591c77ad1cf2bab911d5599ac1 Mon Sep 17 00:00:00 2001 From: Jake Coffman Date: Fri, 31 Mar 2023 14:47:10 -0500 Subject: [PATCH 1/2] strip user without password --- main.go | 10 +++++++++- main_test.go | 8 ++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/main.go b/main.go index f6d21dc..0e7be59 100644 --- a/main.go +++ b/main.go @@ -96,6 +96,10 @@ func Scrub(argument string) string { u, err := url.ParseRequestURI(argument) if err == nil && u.Host != "" && contains(allowedSchemes, u.Scheme) { u.Scheme = "https" + // clear the user if there is no password, since it's common to use git@github.com + if _, isSet := u.User.Password(); !isSet { + u.User = nil + } return u.String() } if scpUrl.MatchString(argument) { @@ -109,7 +113,11 @@ func Scrub(argument string) string { // host changed, possible attack return argument } - return newUrl + // clear the user if there is no password, since it's common to use git@github.com + if _, isSet := u.User.Password(); !isSet { + u.User = nil + } + return u.String() } return argument } diff --git a/main_test.go b/main_test.go index f7ea2fd..51cb0a0 100644 --- a/main_test.go +++ b/main_test.go @@ -49,11 +49,15 @@ func TestScrub(t *testing.T) { }, { input: "git@github.com:dependabot/git-https-shim", - expected: "https://git@github.com/dependabot/git-https-shim", + expected: "https://github.com/dependabot/git-https-shim", + }, + { + input: "ssh://user:pass@github.com/dependabot/git-https-shim", + expected: "https://user:pass@github.com/dependabot/git-https-shim", }, { input: "ssh://git@github.com/dependabot/git-https-shim", - expected: "https://git@github.com/dependabot/git-https-shim", + expected: "https://github.com/dependabot/git-https-shim", }, { input: "ssh://github.com/dependabot/git-https-shim", From 86552a2b52276df4966c7dddb278e790367edca4 Mon Sep 17 00:00:00 2001 From: Jake Coffman Date: Fri, 31 Mar 2023 15:52:46 -0500 Subject: [PATCH 2/2] add more info --- main.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index 0e7be59..2f30d22 100644 --- a/main.go +++ b/main.go @@ -96,7 +96,8 @@ func Scrub(argument string) string { u, err := url.ParseRequestURI(argument) if err == nil && u.Host != "" && contains(allowedSchemes, u.Scheme) { u.Scheme = "https" - // clear the user if there is no password, since it's common to use git@github.com + // Clear the user if there is no password, since the URL is usually ssh://git@github.com. + // The username is required to tell the server you're doing Git operations, but not needed for HTTPS. if _, isSet := u.User.Password(); !isSet { u.User = nil } @@ -113,7 +114,8 @@ func Scrub(argument string) string { // host changed, possible attack return argument } - // clear the user if there is no password, since it's common to use git@github.com + // Clear the user if there is no password, since the URL is usually git@github.com. + // The username is required to tell the server you're doing Git operations, but not needed for HTTPS. if _, isSet := u.User.Password(); !isSet { u.User = nil }