[llvm] 5904448 - Avoid exposing password and token from git repositories (#105220)

via llvm-commits llvm-commits at lists.llvm.org
Wed Sep 11 05:57:26 PDT 2024 

Author: Tulio Magno Quites Machado Filho
Date: 2024-09-11T09:57:22-03:00
New Revision: 5904448ceb67d6a7bd752aa4b54d9acb64bcc533

URL: https://github.com/llvm/llvm-project/commit/5904448ceb67d6a7bd752aa4b54d9acb64bcc533
DIFF: https://github.com/llvm/llvm-project/commit/5904448ceb67d6a7bd752aa4b54d9acb64bcc533.diff

LOG: Avoid exposing password and token from git repositories (#105220)

Try to detect if the git remote URL has a password or a Github token and
return an error teaching the user how to avoid leaking their password or
token.

Added: 
    

Modified: 
    llvm/cmake/modules/VersionFromVCS.cmake

Removed: 
    


################################################################################
diff  --git a/llvm/cmake/modules/VersionFromVCS.cmake b/llvm/cmake/modules/VersionFromVCS.cmake
index 18edbeabe3e4b5..da42781d2ae39e 100644
--- a/llvm/cmake/modules/VersionFromVCS.cmake
+++ b/llvm/cmake/modules/VersionFromVCS.cmake
@@ -39,6 +39,30 @@ function(get_source_info path revision repository)
         OUTPUT_VARIABLE git_output
         ERROR_QUIET)
       if(git_result EQUAL 0)
+        # Passwords or tokens should not be stored in the remote URL at the
+        # risk of being leaked. In case we find one, error out and teach the
+        # user the best practices.
+        string(REGEX MATCH "https?://[^/]*:[^/]*@.*"
+          http_password "${git_output}")
+        if(http_password)
+          message(SEND_ERROR "The git remote repository URL has an embedded \
+password. Remove the password from the URL or use \
+`-DLLVM_FORCE_VC_REPOSITORY=<URL without password>` in order to avoid \
+leaking your password (see https://git-scm.com/docs/gitcredentials for \
+alternatives).")
+        endif()
+        # GitHub token formats are described at:
+        # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
+        string(REGEX MATCH
+          "https?://(gh[pousr]|github_pat)_[^/]+ at github.com.*"
+          github_token "${git_output}")
+        if(github_token)
+          message(SEND_ERROR "The git remote repository URL has an embedded \
+GitHub Token. Remove the token from the URL or use \
+`-DLLVM_FORCE_VC_REPOSITORY=<URL without token>` in order to avoid leaking \
+your token (see https://git-scm.com/docs/gitcredentials for alternatives).")
+        endif()
+
         string(STRIP "${git_output}" git_output)
         set(${repository} ${git_output} PARENT_SCOPE)
       else()

More information about the llvm-commits mailing list