Hacker News new | past | comments | ask | show | jobs | submit login

I'm not "making a claim" or inventing a heuristic, you can test this trivially:

    $ git clone https://....:x-oauth-basic@github.com/dw/csvmonkey.git
    Cloning into 'csvmonkey'...
    remote: Counting objects: 340, done.
    remote: Compressing objects: 100% (27/27), done.
    remote: Total 340 (delta 19), reused 27 (delta 10), pack-reused 303
    Receiving objects: 100% (340/340), 138.93 KiB | 0 bytes/s, done.
    Resolving deltas: 100% (212/212), done.

    $ cat csvmonkey/.git/logs/HEAD
    0000000000000000000000000000000000000000 c9d566bf167dcf3556008df58be37c4a27ff5062 David Wilson <dw@botanicus.net> 1497289486 +0100	clone: from https://....:x-oauth-basic@github.com/dw/csvmonkey.git
If you perform a Git checkout on a web server e.g. as part of an Ansible script, and you embedded secrets in the repo URL (common enough, believe me), then that secret is readable per above.

FWIW this isn't some unbelievable theory or hypothetical scenario, I've seen plenty of Ansible setups like this and found domains with this exact problem in the process of writing http://pythonsweetness.tumblr.com/post/52587443706/devs-plea... a few years back




Hi,

You might not remember me. I'm the poster you're responding to. How have you been? Me, I'm all right.

I was just thinking of when we first spoke… it seems like so long ago! I remember it as clearly as yesterday: you had made a partially-conherent argument that the auth creds for a git URL could leak into a remote deployment's reflog! Oh, how we laughed, and our amusement doubled in size as you fancied a implausible situation where the read-only deployment credentials could be recovered from the very same repo they allowed access to!

It was much later when we crossed paths again, but your talent for sharing inventive tales had not waned in the slightest. For this next performance, you regaled us with the simple truth that no person can be certain that their commit history will not reveal their darkest secrets, and thus should strictly eschew sharing it in a public place; but that the contents of their index was above suspicion, and could be shouted to the world without a moment's thought! Many of us stumbled to determine what byzantine process made the working directory automatically scrub itself of secrets, before finally the jape dawned on them.

I eagerly anticipate our next encounter; what fresh new hilarity will you share with us?

I hope my restatement of my understanding of your position helps make my position clear,

--falsedan


I guess we're both having a bad day. Let's break down the original statement:

> git clone https://username:password@github.com/...

This command produces a new git repository by cloning the supplied URL

> will end up in git reflog

The newly generated repository's reflog will contain the credentials passed on the command line.

> so yes, it's a problem

Assuming the newly generated repository also happens to be a static HTTP server root, which is the subject of the thread in which you've been posting


Thanks, that makes it clear to me.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: