Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: go get -u with GIT_TERMINAL_PROMPT=1 combines separate git username/password prompts, which can lead to password being exposed #38090

Open
buriedgod opened this issue Mar 26, 2020 · 4 comments

Comments

@buriedgod
Copy link

@buriedgod buriedgod commented Mar 26, 2020

What version of Go are you using (go version)?

$ go version go1.14.1 linux/amd64

Does this issue reproduce with the latest release?

Not Tested

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/nibin/.cache/go-build"
GOENV="/home/nibin/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/nibin/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/snap/go/5569"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/snap/go/5569/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/nibin/golang/mod-exp/sample-mods/mysample/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build009035298=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I tried to update go module dependency ( 2 separate go modules residing in 2 repos) ( the dependency(s) resides in a private repo ) using GIT_TERMINAL_PROMPT=1 GOSUMDB=off go get -u

What did you expect to see?

Assume Password Entered is : mypassword

Username for 'https://gitlab.com': myusername
Password for 'https://myusername@gitlab.com':
Username for 'https://gitlab.com': myusername
Password for 'https://myusername@gitlab.com':

What did you see instead?

Assume Password Entered is : mypassword

Username for 'https://gitlab.com': 
Username for 'https://gitlab.com': myusername
Password for 'https://myusername@gitlab.com': 
Password for 'https://mypassword@gitlab.com':
@andybons andybons changed the title go get -u with GIT-TERMINAL PROMPT=1 confuses git password and username and Exposes Git Password cmd/go: go get -u with GIT_TERMINAL_PROMPT=1 combines separate git username/password prompts, which can lead to password being exposed Mar 26, 2020
@andybons andybons added this to the Unplanned milestone Mar 26, 2020
@andybons
Copy link
Member

@andybons andybons commented Mar 26, 2020

@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Mar 26, 2020

This is happening because the go command runs git commands for multiple repositories concurrently. By default, it sets GIT_TERMINAL_PROMPT=0, but it allows users to override that.

The narrow solution here would be to only run one git command at a time if GIT_TERMINAL_PROMPT=1. That doesn't seem like a great experience though.

@bcmills Should we allow GIT_TERMINAL_PROMPT=1 at all, now that ~/.netrc is supported? Does it cover this case?

@bcmills
Copy link
Member

@bcmills bcmills commented Mar 27, 2020

We probably should not allow GIT_TERMINAL_PROMPT.

At one point I started adding explicit serialization of Git terminal operations (first setting to 0, then acquiring a lock and setting to 1 if it is set in the containing environment), but after discussion with Russ we decided that that wasn't a great UX, especially given .netrc and the Git credential cache in general.

@bcmills bcmills modified the milestones: Unplanned, Backlog Mar 27, 2020
@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Mar 30, 2020

+1 to disallowing GIT_TERMINAL_PROMPT. Let's make sure .netrc and other procedures for accessing private repos are better documented first though. I suspect in most cases, people are only using one private repo and won't run into this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.