Github token is leaked when used as a part of remote URL

[0xnm]

Github allows usage of personal access tokens with remote URLs in the format:

https://<token>@github.com/owner/repo.git

or

https://<token>:x-oauth-basic@github.com/owner/repo.git

If such URL is used with Remote, if some error related to the access happens, it (in the example below token is foobar) can be leaked via exception message, like the following:

Traceback (most recent call last):
  File "start.py", line 119, in <module>
    sys.exit(run_main())
    ...
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git push --set-upstream --force ....
  stderr: 'remote: some error.
fatal: unable to access 'https://foobar:x-oauth-basic@github.com/FooBarCorp/some-repo/': The requested URL returned error: 403'

It would be nice to have internal mechanism to prevent such leakage.

[Byron]

Thanks for reporting.

That's interesting because passwords are already removed from URLs, at least supposedly so.

Which version of GitPython are you using? In case it's not the latest one, is the issue still reproducible with the most recent one?

[0xnm]

Hello @Byron. I'm using version 3.1.11, but by looking on

GitPython/git/util.py

Line 404 in 0a6d9d6

def remove_password_if_present(cmdline):

I guess it will still be reproducible, because it takes care only about url.password part, while in the URL which Github is using, token is located at the username part, here is a run proof https://onecompiler.com/python/3x4mtarsc

[Byron]

Thanks a lot for following up so quickly. I see that even though more recent version of GitPython do better, they are still not equipped to hide all secrets.
What do you think about boosting the current implementation to the point where it considers usernames (or github tokens by extension) potentially PII and thus should hide them too. The existing test could probably be adjusted to do that.

[0xnm]

I would agree that usernames can be considered as sensitive info as well and it is better to remove it (threat actor may collect user names by grabbing the logs and it will the simplify bruteforce attacks). Although it may be needed for the debugging, but I guess users can check the username they use in the URL before passing it to GitPython in their debug scenario.

[torbsorb]

From Github: "Support for password authentication was removed on August 13, 2021. Please use a personal access token instead."
What are the actual implications of not removing the token from the URL, as is the case with the current version of Gitpython? Since this is over HTTPS, what is actually easily available for a malicious actor? We have a use-case for this but are hesitant about using Gitpython for this reason. The intention is to push a branch based on generated changes in CI. We have to use a token, based on Github's move. Are there any good alternatives (besides Github action plugins)?

[Byron]

Since this is over HTTPS, what is actually easily available for a malicious actor?

GitPython can leak the username to a log due to the username not being obfuscated when producing an exception. Tokens are passed as extra header fields which GitPython doesn't actually know about. They would be handled by a git credentials helper program which might or might not work if git is invoked through GitPython.