Skip to content

Github token is leaked when used as a part of remote URL #1284

Closed
@0xnm

Description

@0xnm

Github allows usage of personal access tokens with remote URLs in the format:

https://<token>@github.com/owner/repo.git

or

https://<token>:x-oauth-basic@github.com/owner/repo.git

If such URL is used with Remote, if some error related to the access happens, it (in the example below token is foobar) can be leaked via exception message, like the following:

Traceback (most recent call last):
  File "start.py", line 119, in <module>
    sys.exit(run_main())
    ...
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
  cmdline: git push --set-upstream --force ....
  stderr: 'remote: some error.
fatal: unable to access 'https://foobar:x-oauth-basic@github.com/FooBarCorp/some-repo/': The requested URL returned error: 403'

It would be nice to have internal mechanism to prevent such leakage.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions