Skip to content

Commit ec6718e

Browse files
ethantkoeniglafriks
authored andcommitted
Sanitize logs for mirror sync (#3057, #3082) (#3078)
* Sanitize logs for mirror sync * Fix error message sanitiziation (#3082)
1 parent 8f7054a commit ec6718e

File tree

5 files changed

+105
-34
lines changed

5 files changed

+105
-34
lines changed

models/repo.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -605,9 +605,14 @@ func (repo *Repository) RepoPath() string {
605605
return repo.repoPath(x)
606606
}
607607

608+
// GitConfigPath returns the path to a repository's git config/ directory
609+
func GitConfigPath(repoPath string) string {
610+
return filepath.Join(repoPath, "config")
611+
}
612+
608613
// GitConfigPath returns the repository git config path
609614
func (repo *Repository) GitConfigPath() string {
610-
return filepath.Join(repo.RepoPath(), "config")
615+
return GitConfigPath(repo.RepoPath())
611616
}
612617

613618
// RelLink returns the repository relative link

models/repo_mirror.go

Lines changed: 42 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,18 @@ package models
66

77
import (
88
"fmt"
9-
"strings"
109
"time"
1110

12-
"github.com/Unknwon/com"
13-
"github.com/go-xorm/xorm"
14-
"gopkg.in/ini.v1"
15-
1611
"code.gitea.io/git"
1712
"code.gitea.io/gitea/modules/log"
1813
"code.gitea.io/gitea/modules/process"
1914
"code.gitea.io/gitea/modules/setting"
2015
"code.gitea.io/gitea/modules/sync"
16+
"code.gitea.io/gitea/modules/util"
17+
18+
"github.com/Unknwon/com"
19+
"github.com/go-xorm/xorm"
20+
"gopkg.in/ini.v1"
2121
)
2222

2323
// MirrorQueue holds an UniqueQueue object of the mirror
@@ -76,41 +76,41 @@ func (m *Mirror) ScheduleNextUpdate() {
7676
m.NextUpdate = time.Now().Add(m.Interval)
7777
}
7878

79+
func remoteAddress(repoPath string) (string, error) {
80+
cfg, err := ini.Load(GitConfigPath(repoPath))
81+
if err != nil {
82+
return "", err
83+
}
84+
return cfg.Section("remote \"origin\"").Key("url").Value(), nil
85+
}
86+
7987
func (m *Mirror) readAddress() {
8088
if len(m.address) > 0 {
8189
return
8290
}
83-
84-
cfg, err := ini.Load(m.Repo.GitConfigPath())
91+
var err error
92+
m.address, err = remoteAddress(m.Repo.RepoPath())
8593
if err != nil {
86-
log.Error(4, "Load: %v", err)
87-
return
94+
log.Error(4, "remoteAddress: %v", err)
8895
}
89-
m.address = cfg.Section("remote \"origin\"").Key("url").Value()
9096
}
9197

92-
// HandleCloneUserCredentials replaces user credentials from HTTP/HTTPS URL
93-
// with placeholder <credentials>.
94-
// It will fail for any other forms of clone addresses.
95-
func HandleCloneUserCredentials(url string, mosaics bool) string {
96-
i := strings.Index(url, "@")
97-
if i == -1 {
98-
return url
99-
}
100-
start := strings.Index(url, "://")
101-
if start == -1 {
102-
return url
103-
}
104-
if mosaics {
105-
return url[:start+3] + "<credentials>" + url[i:]
98+
// sanitizeOutput sanitizes output of a command, replacing occurrences of the
99+
// repository's remote address with a sanitized version.
100+
func sanitizeOutput(output, repoPath string) (string, error) {
101+
remoteAddr, err := remoteAddress(repoPath)
102+
if err != nil {
103+
// if we're unable to load the remote address, then we're unable to
104+
// sanitize.
105+
return "", err
106106
}
107-
return url[:start+3] + url[i+1:]
107+
return util.SanitizeMessage(output, remoteAddr), nil
108108
}
109109

110110
// Address returns mirror address from Git repository config without credentials.
111111
func (m *Mirror) Address() string {
112112
m.readAddress()
113-
return HandleCloneUserCredentials(m.address, false)
113+
return util.SanitizeURLCredentials(m.address, false)
114114
}
115115

116116
// FullAddress returns mirror address from Git repository config.
@@ -145,7 +145,14 @@ func (m *Mirror) runSync() bool {
145145
if _, stderr, err := process.GetManager().ExecDir(
146146
timeout, repoPath, fmt.Sprintf("Mirror.runSync: %s", repoPath),
147147
"git", gitArgs...); err != nil {
148-
desc := fmt.Sprintf("Failed to update mirror repository '%s': %s", repoPath, stderr)
148+
// sanitize the output, since it may contain the remote address, which may
149+
// contain a password
150+
message, err := sanitizeOutput(stderr, repoPath)
151+
if err != nil {
152+
log.Error(4, "sanitizeOutput: %v", err)
153+
return false
154+
}
155+
desc := fmt.Sprintf("Failed to update mirror repository '%s': %s", repoPath, message)
149156
log.Error(4, desc)
150157
if err = CreateRepositoryNotice(desc); err != nil {
151158
log.Error(4, "CreateRepositoryNotice: %v", err)
@@ -170,7 +177,14 @@ func (m *Mirror) runSync() bool {
170177
if _, stderr, err := process.GetManager().ExecDir(
171178
timeout, wikiPath, fmt.Sprintf("Mirror.runSync: %s", wikiPath),
172179
"git", "remote", "update", "--prune"); err != nil {
173-
desc := fmt.Sprintf("Failed to update mirror wiki repository '%s': %s", wikiPath, stderr)
180+
// sanitize the output, since it may contain the remote address, which may
181+
// contain a password
182+
message, err := sanitizeOutput(stderr, wikiPath)
183+
if err != nil {
184+
log.Error(4, "sanitizeOutput: %v", err)
185+
return false
186+
}
187+
desc := fmt.Sprintf("Failed to update mirror wiki repository '%s': %s", wikiPath, message)
174188
log.Error(4, desc)
175189
if err = CreateRepositoryNotice(desc); err != nil {
176190
log.Error(4, "CreateRepositoryNotice: %v", err)

modules/util/sanitize.go

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
// Copyright 2017 The Gitea Authors. All rights reserved.
2+
// Use of this source code is governed by a MIT-style
3+
// license that can be found in the LICENSE file.
4+
5+
package util
6+
7+
import (
8+
"net/url"
9+
"strings"
10+
)
11+
12+
// urlSafeError wraps an error whose message may contain a sensitive URL
13+
type urlSafeError struct {
14+
err error
15+
unsanitizedURL string
16+
}
17+
18+
func (err urlSafeError) Error() string {
19+
return SanitizeMessage(err.err.Error(), err.unsanitizedURL)
20+
}
21+
22+
// URLSanitizedError returns the sanitized version an error whose message may
23+
// contain a sensitive URL
24+
func URLSanitizedError(err error, unsanitizedURL string) error {
25+
return urlSafeError{err: err, unsanitizedURL: unsanitizedURL}
26+
}
27+
28+
// SanitizeMessage sanitizes a message which may contains a sensitive URL
29+
func SanitizeMessage(message, unsanitizedURL string) string {
30+
sanitizedURL := SanitizeURLCredentials(unsanitizedURL, true)
31+
return strings.Replace(message, unsanitizedURL, sanitizedURL, -1)
32+
}
33+
34+
// SanitizeURLCredentials sanitizes a url, either removing user credentials
35+
// or replacing them with a placeholder.
36+
func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string {
37+
u, err := url.Parse(unsanitizedURL)
38+
if err != nil {
39+
// don't log the error, since it might contain unsanitized URL.
40+
return "(unparsable url)"
41+
}
42+
if u.User != nil && usePlaceholder {
43+
u.User = url.User("<credentials>")
44+
} else {
45+
u.User = nil
46+
}
47+
return u.String()
48+
}

routers/api/v1/repo/repo.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,14 @@ import (
99
"net/http"
1010
"strings"
1111

12-
api "code.gitea.io/sdk/gitea"
13-
1412
"code.gitea.io/gitea/models"
1513
"code.gitea.io/gitea/modules/auth"
1614
"code.gitea.io/gitea/modules/context"
1715
"code.gitea.io/gitea/modules/log"
1816
"code.gitea.io/gitea/modules/setting"
1917
"code.gitea.io/gitea/modules/util"
2018
"code.gitea.io/gitea/routers/api/v1/convert"
19+
api "code.gitea.io/sdk/gitea"
2120
)
2221

2322
// Search repositories via options
@@ -322,12 +321,13 @@ func Migrate(ctx *context.APIContext, form auth.MigrateRepoForm) {
322321
RemoteAddr: remoteAddr,
323322
})
324323
if err != nil {
324+
err = util.URLSanitizedError(err, remoteAddr)
325325
if repo != nil {
326326
if errDelete := models.DeleteRepository(ctx.User, ctxUser.ID, repo.ID); errDelete != nil {
327327
log.Error(4, "DeleteRepository: %v", errDelete)
328328
}
329329
}
330-
ctx.Error(500, "MigrateRepository", models.HandleCloneUserCredentials(err.Error(), true))
330+
ctx.Error(500, "MigrateRepository", err)
331331
return
332332
}
333333

routers/repo/repo.go

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"code.gitea.io/gitea/modules/context"
2121
"code.gitea.io/gitea/modules/log"
2222
"code.gitea.io/gitea/modules/setting"
23+
"code.gitea.io/gitea/modules/util"
2324
)
2425

2526
const (
@@ -232,6 +233,9 @@ func MigratePost(ctx *context.Context, form auth.MigrateRepoForm) {
232233
return
233234
}
234235

236+
// remoteAddr may contain credentials, so we sanitize it
237+
err = util.URLSanitizedError(err, remoteAddr)
238+
235239
if repo != nil {
236240
if errDelete := models.DeleteRepository(ctx.User, ctxUser.ID, repo.ID); errDelete != nil {
237241
log.Error(4, "DeleteRepository: %v", errDelete)
@@ -241,11 +245,11 @@ func MigratePost(ctx *context.Context, form auth.MigrateRepoForm) {
241245
if strings.Contains(err.Error(), "Authentication failed") ||
242246
strings.Contains(err.Error(), "could not read Username") {
243247
ctx.Data["Err_Auth"] = true
244-
ctx.RenderWithErr(ctx.Tr("form.auth_failed", models.HandleCloneUserCredentials(err.Error(), true)), tplMigrate, &form)
248+
ctx.RenderWithErr(ctx.Tr("form.auth_failed", err.Error()), tplMigrate, &form)
245249
return
246250
} else if strings.Contains(err.Error(), "fatal:") {
247251
ctx.Data["Err_CloneAddr"] = true
248-
ctx.RenderWithErr(ctx.Tr("repo.migrate.failed", models.HandleCloneUserCredentials(err.Error(), true)), tplMigrate, &form)
252+
ctx.RenderWithErr(ctx.Tr("repo.migrate.failed", err.Error()), tplMigrate, &form)
249253
return
250254
}
251255

0 commit comments

Comments
 (0)