Merge branch 'jt/http-redact-cookies' into maint

The http tracing code, often used to debug connection issues,
learned to redact potentially sensitive information from its output
so that it can be more safely sharable.

* jt/http-redact-cookies:
  http: support omitting data from traces
  http: support cookie redaction when tracing
This commit is contained in:
Junio C Hamano 2018-03-22 14:24:09 -07:00
commit 721dce003f
3 changed files with 117 additions and 8 deletions

View File

@ -646,6 +646,16 @@ of clones and fetches.
variable.
See `GIT_TRACE` for available trace output options.
`GIT_TRACE_CURL_NO_DATA`::
When a curl trace is enabled (see `GIT_TRACE_CURL` above), do not dump
data (that is, only dump info lines and headers).
`GIT_REDACT_COOKIES`::
This can be set to a comma-separated list of strings. When a curl trace
is enabled (see `GIT_TRACE_CURL` above), whenever a "Cookies:" header
sent by the client is dumped, values of cookies whose key is in that
list (case-sensitive) are redacted.
`GIT_LITERAL_PATHSPECS`::
Setting this variable to `1` will cause Git to treat all
pathspecs literally, rather than as glob patterns. For example,

82
http.c
View File

@ -13,8 +13,11 @@
#include "transport.h"
#include "packfile.h"
#include "protocol.h"
#include "string-list.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
static struct string_list cookies_to_redact = STRING_LIST_INIT_DUP;
#if LIBCURL_VERSION_NUM >= 0x070a08
long int git_curl_ipresolve = CURL_IPRESOLVE_WHATEVER;
#else
@ -575,6 +578,54 @@ static void redact_sensitive_header(struct strbuf *header)
/* Everything else is opaque and possibly sensitive */
strbuf_setlen(header, sensitive_header - header->buf);
strbuf_addstr(header, " <redacted>");
} else if (cookies_to_redact.nr &&
skip_prefix(header->buf, "Cookie:", &sensitive_header)) {
struct strbuf redacted_header = STRBUF_INIT;
char *cookie;
while (isspace(*sensitive_header))
sensitive_header++;
/*
* The contents of header starting from sensitive_header will
* subsequently be overridden, so it is fine to mutate this
* string (hence the assignment to "char *").
*/
cookie = (char *) sensitive_header;
while (cookie) {
char *equals;
char *semicolon = strstr(cookie, "; ");
if (semicolon)
*semicolon = 0;
equals = strchrnul(cookie, '=');
if (!equals) {
/* invalid cookie, just append and continue */
strbuf_addstr(&redacted_header, cookie);
continue;
}
*equals = 0; /* temporarily set to NUL for lookup */
if (string_list_lookup(&cookies_to_redact, cookie)) {
strbuf_addstr(&redacted_header, cookie);
strbuf_addstr(&redacted_header, "=<redacted>");
} else {
*equals = '=';
strbuf_addstr(&redacted_header, cookie);
}
if (semicolon) {
/*
* There are more cookies. (Or, for some
* reason, the input string ends in "; ".)
*/
strbuf_addstr(&redacted_header, "; ");
cookie = semicolon + strlen("; ");
} else {
cookie = NULL;
}
}
strbuf_setlen(header, sensitive_header - header->buf);
strbuf_addbuf(header, &redacted_header);
}
}
@ -645,24 +696,32 @@ static int curl_trace(CURL *handle, curl_infotype type, char *data, size_t size,
curl_dump_header(text, (unsigned char *)data, size, DO_FILTER);
break;
case CURLINFO_DATA_OUT:
text = "=> Send data";
curl_dump_data(text, (unsigned char *)data, size);
if (trace_curl_data) {
text = "=> Send data";
curl_dump_data(text, (unsigned char *)data, size);
}
break;
case CURLINFO_SSL_DATA_OUT:
text = "=> Send SSL data";
curl_dump_data(text, (unsigned char *)data, size);
if (trace_curl_data) {
text = "=> Send SSL data";
curl_dump_data(text, (unsigned char *)data, size);
}
break;
case CURLINFO_HEADER_IN:
text = "<= Recv header";
curl_dump_header(text, (unsigned char *)data, size, NO_FILTER);
break;
case CURLINFO_DATA_IN:
text = "<= Recv data";
curl_dump_data(text, (unsigned char *)data, size);
if (trace_curl_data) {
text = "<= Recv data";
curl_dump_data(text, (unsigned char *)data, size);
}
break;
case CURLINFO_SSL_DATA_IN:
text = "<= Recv SSL data";
curl_dump_data(text, (unsigned char *)data, size);
if (trace_curl_data) {
text = "<= Recv SSL data";
curl_dump_data(text, (unsigned char *)data, size);
}
break;
default: /* we ignore unknown types by default */
@ -807,6 +866,13 @@ static CURL *get_curl_handle(void)
if (getenv("GIT_CURL_VERBOSE"))
curl_easy_setopt(result, CURLOPT_VERBOSE, 1L);
setup_curl_trace(result);
if (getenv("GIT_TRACE_CURL_NO_DATA"))
trace_curl_data = 0;
if (getenv("GIT_REDACT_COOKIES")) {
string_list_split(&cookies_to_redact,
getenv("GIT_REDACT_COOKIES"), ',', -1);
string_list_sort(&cookies_to_redact);
}
curl_easy_setopt(result, CURLOPT_USERAGENT,
user_agent ? user_agent : git_user_agent());

View File

@ -364,5 +364,38 @@ test_expect_success 'custom http headers' '
submodule update sub
'
test_expect_success 'GIT_REDACT_COOKIES redacts cookies' '
rm -rf clone &&
echo "Set-Cookie: Foo=1" >cookies &&
echo "Set-Cookie: Bar=2" >>cookies &&
GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Bar,Baz \
git -c "http.cookieFile=$(pwd)/cookies" clone \
$HTTPD_URL/smart/repo.git clone 2>err &&
grep "Cookie:.*Foo=1" err &&
grep "Cookie:.*Bar=<redacted>" err &&
! grep "Cookie:.*Bar=2" err
'
test_expect_success 'GIT_REDACT_COOKIES handles empty values' '
rm -rf clone &&
echo "Set-Cookie: Foo=" >cookies &&
GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Foo \
git -c "http.cookieFile=$(pwd)/cookies" clone \
$HTTPD_URL/smart/repo.git clone 2>err &&
grep "Cookie:.*Foo=<redacted>" err
'
test_expect_success 'GIT_TRACE_CURL_NO_DATA prevents data from being traced' '
rm -rf clone &&
GIT_TRACE_CURL=true \
git clone $HTTPD_URL/smart/repo.git clone 2>err &&
grep "=> Send data" err &&
rm -rf clone &&
GIT_TRACE_CURL=true GIT_TRACE_CURL_NO_DATA=1 \
git clone $HTTPD_URL/smart/repo.git clone 2>err &&
! grep "=> Send data" err
'
stop_httpd
test_done