From a6747255bd19d7a757dbdda8c654a9f84db19839 Mon Sep 17 00:00:00 2001 From: eric sciple Date: Thu, 12 Dec 2019 14:04:04 -0500 Subject: [PATCH] do not pass cred on command line (#108) --- dist/index.js | 23 ++++++++++++++++++----- src/git-source-provider.ts | 30 +++++++++++++++++++++++++----- 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/dist/index.js b/dist/index.js index 380d8c3..2ef372e 100644 --- a/dist/index.js +++ b/dist/index.js @@ -5271,11 +5271,24 @@ function prepareExistingDirectory(git, repositoryPath, repositoryUrl, clean) { } function configureAuthToken(git, authToken) { return __awaiter(this, void 0, void 0, function* () { - // Add extraheader (auth) - const base64Credentials = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64'); - core.setSecret(base64Credentials); - const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`; - yield git.config(authConfigKey, authConfigValue); + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + const placeholder = `AUTHORIZATION: basic ***`; + yield git.config(authConfigKey, placeholder); + // Determine the basic credential value + const basicCredential = Buffer.from(`x-access-token:${authToken}`, 'utf8').toString('base64'); + core.setSecret(basicCredential); + // Replace the value in the config file + const configPath = path.join(git.getWorkingDirectory(), '.git', 'config'); + let content = (yield fs.promises.readFile(configPath)).toString(); + const placeholderIndex = content.indexOf(placeholder); + if (placeholderIndex < 0 || + placeholderIndex != content.lastIndexOf(placeholder)) { + throw new Error('Unable to replace auth placeholder in .git/config'); + } + content = content.replace(placeholder, `AUTHORIZATION: basic ${basicCredential}`); + yield fs.promises.writeFile(configPath, content); }); } function removeGitConfig(git, configKey) { diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts index 6b7a9f7..8c7aa15 100644 --- a/src/git-source-provider.ts +++ b/src/git-source-provider.ts @@ -259,14 +259,34 @@ async function configureAuthToken( git: IGitCommandManager, authToken: string ): Promise { - // Add extraheader (auth) - const base64Credentials = Buffer.from( + // Configure a placeholder value. This approach avoids the credential being captured + // by process creation audit events, which are commonly logged. For more information, + // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing + const placeholder = `AUTHORIZATION: basic ***` + await git.config(authConfigKey, placeholder) + + // Determine the basic credential value + const basicCredential = Buffer.from( `x-access-token:${authToken}`, 'utf8' ).toString('base64') - core.setSecret(base64Credentials) - const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}` - await git.config(authConfigKey, authConfigValue) + core.setSecret(basicCredential) + + // Replace the value in the config file + const configPath = path.join(git.getWorkingDirectory(), '.git', 'config') + let content = (await fs.promises.readFile(configPath)).toString() + const placeholderIndex = content.indexOf(placeholder) + if ( + placeholderIndex < 0 || + placeholderIndex != content.lastIndexOf(placeholder) + ) { + throw new Error('Unable to replace auth placeholder in .git/config') + } + content = content.replace( + placeholder, + `AUTHORIZATION: basic ${basicCredential}` + ) + await fs.promises.writeFile(configPath, content) } async function removeGitConfig(