[llvm] Avoid exposing unknown git repositories (PR #105220)

Petr Hosek via llvm-commits llvm-commits at lists.llvm.org
Wed Aug 21 01:08:25 PDT 2024


================
@@ -39,8 +39,14 @@ function(get_source_info path revision repository)
         OUTPUT_VARIABLE git_output
         ERROR_QUIET)
       if(git_result EQUAL 0)
-        string(STRIP "${git_output}" git_output)
-        set(${repository} ${git_output} PARENT_SCOPE)
+        # Avoid exposing sensitive data, e.g. usernames, passwords and
+        # private URLs.
+        string(FIND "${git_output}" "github.com/llvm/llvm-project" git_upstream)
+        if(git_upstream GREATER_EQUAL 0)
+          set(${repository} "https://github.com/llvm/llvm-project" PARENT_SCOPE)
+        else()
+          set(${repository} "forked repository" PARENT_SCOPE)
----------------
petrhosek wrote:

This may not necessarily be a fork in traditional sense (as in containing custom changes), it could be a mirror. I think in this case we should omit the repository altogether.

https://github.com/llvm/llvm-project/pull/105220


More information about the llvm-commits mailing list