[llvm] Avoid exposing password and token from git repositories (PR #105220)
James Y Knight via llvm-commits
llvm-commits at lists.llvm.org
Wed Sep 4 07:49:49 PDT 2024
================
@@ -39,6 +39,29 @@ function(get_source_info path revision repository)
OUTPUT_VARIABLE git_output
ERROR_QUIET)
if(git_result EQUAL 0)
+ # Passwords or tokens should not be stored in the remote URL at the
+ # risk of being leaked. In case we find one, error out and teach the
+ # user the best practices.
+ string(REGEX MATCH "https?://[^/]*:[^/]*@.*"
+ http_password "${git_output}")
+ if(http_password)
+ message(SEND_ERROR "The remote URL has an embedded password. \
----------------
jyknight wrote:
For clarity, I'd start with "The git remote repository URL".
After "remove the {password|token} from the URL", perhaps add something like "(see https://git-scm.com/docs/gitcredentials for alternatives)".
https://github.com/llvm/llvm-project/pull/105220
More information about the llvm-commits
mailing list