Skip to content

feat: redact credentials in remote urls #2220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: redact credentials in remote urls #2220

wants to merge 4 commits into from

Conversation

pd93
Copy link
Member

@pd93 pd93 commented Apr 28, 2025

Fixes #2100 and replaces #2045

Ensures that any credentials embedded in the URL are redacted by using the built in url.Redacted() function. The cache keys have also been altered slightly, so users may have to redownload some files that they already have cached.

@pd93
Copy link
Member Author

pd93 commented Apr 28, 2025

@iwittkau, very open to comments as you were the author of the last PR.

@pd93 pd93 force-pushed the 2100-redacted-url-credentials branch from 94ff7fa to 474eec1 Compare April 28, 2025 16:16
@iwittkau
Copy link
Contributor

iwittkau commented Apr 29, 2025
edited
Loading

I think this test should be added an pass:

func TestGitNode_redaction(t *testing.T) {
	t.Parallel()

	node, err := NewGitNode("https://git:token@github.com/foo/bar.git//directory/Taskfile.yml?ref=main", "", false)
	assert.NoError(t, err)
	assert.Equal(t, "main", node.ref)
	assert.Equal(t, "directory/Taskfile.yml", node.path)
	assert.Equal(t, "https://git:xxxxx@github.com/foo/bar.git//directory/Taskfile.yml?ref=main", node.Location())
	// assert.Equal(t, "https://git:xxxxx@github.com/foo/bar.git", node.URL.String())
	entrypoint, err := node.ResolveEntrypoint("common.yml")
	assert.NoError(t, err)
	assert.Equal(t, "https://git:xxxxx@github.com/foo/bar.git//directory/common.yml?ref=main", entrypoint)
}

iwittkau
iwittkau reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

@iwittkau iwittkau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 🎉

I'll give it a try with my work setup tomorrow.

@iwittkau
Copy link
Contributor

I think you could keep GitNode.URL unexported to make sure its String and Redacted funcs are called correctly.

@pd93
Copy link
Member Author

pd93 commented May 1, 2025

I think you could keep GitNode.URL unexported to make sure its String and Redacted funcs are called correctly.

Yeah, we don't really need any of the properties on Node implementations to be exported. They have constructors and they're quite bespoke. Package API users can just roll their own Nodes if they need custom behavior. I have unexported all Node fields.

@pd93 pd93 requested review from andreynering and vmaerten May 1, 2025 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iwittkau iwittkau iwittkau left review comments

@andreynering andreynering Awaiting requested review from andreynering

@vmaerten vmaerten Awaiting requested review from vmaerten

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remote taskfile could potentially expose secrets
2 participants
@pd93 @iwittkau