clone/fetch: anonymize URLs in the reflog

Even if we strongly discourage putting credentials into the URLs passed
via the command-line, there _is_ support for that, and users _do_ do
that.

Let's scrub them before writing them to the reflog.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/builtin/clone.c b/builtin/clone.c
index 1ad26f4d8c81b3e26bca8c3701162ab0e8120e87..002d23ab0a2d56aca497e5fac77c363372db3408 100644 (file)
--- a/builtin/clone.c
+++ b/builtin/clone.c
@@ -939,7 +939,7 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
 {
        int is_bundle = 0, is_local;
        const char *repo_name, *repo, *work_tree, *git_dir;
-       char *path, *dir;
+       char *path, *dir, *display_repo = NULL;
        int dest_exists;
        const struct ref *refs, *remote_head;
        const struct ref *remote_head_points_at;
@@ -994,10 +994,11 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
        path = get_repo_path(repo_name, &is_bundle);
        if (path)
                repo = absolute_pathdup(repo_name);
-       else if (!strchr(repo_name, ':'))
-               die(_("repository '%s' does not exist"), repo_name);
-       else
+       else if (strchr(repo_name, ':')) {
                repo = repo_name;
+               display_repo = transport_anonymize_url(repo);
+       } else
+               die(_("repository '%s' does not exist"), repo_name);
 
        /* no need to be strict, transport_set_option() will validate it again */
        if (option_depth && atoi(option_depth) < 1)
@@ -1014,7 +1015,9 @@ int cmd_clone(int argc, const char **argv, const char *prefix)
                die(_("destination path '%s' already exists and is not "
                        "an empty directory."), dir);
 
-       strbuf_addf(&reflog_msg, "clone: from %s", repo);
+       strbuf_addf(&reflog_msg, "clone: from %s",
+                   display_repo ? display_repo : repo);
+       free(display_repo);
 
        if (option_bare)
                work_tree = NULL;

diff --git a/builtin/fetch.c b/builtin/fetch.c
index bf6bab80fab915242f412de7f0ced4a92d95f930..d58b7572114570a2425a2b7f1f4e9b2cef367744 100644 (file)
--- a/builtin/fetch.c
+++ b/builtin/fetch.c
@@ -1765,8 +1765,13 @@ int cmd_fetch(int argc, const char **argv, const char *prefix)
 
        /* Record the command line for the reflog */
        strbuf_addstr(&default_rla, "fetch");
-       for (i = 1; i < argc; i++)
-               strbuf_addf(&default_rla, " %s", argv[i]);
+       for (i = 1; i < argc; i++) {
+               /* This handles non-URLs gracefully */
+               char *anon = transport_anonymize_url(argv[i]);
+
+               strbuf_addf(&default_rla, " %s", anon);
+               free(anon);
+       }
 
        fetch_config_from_gitmodules(&submodule_fetch_jobs_config,
                                     &recurse_submodules);

diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh
index 23be8ce92d67824166156cf0c5ca380022b79efc..2d60381a5e7bc8c81b60b64680db13bf727173d0 100755 (executable)
--- a/t/t5541-http-push-smart.sh
+++ b/t/t5541-http-push-smart.sh
@@ -456,6 +456,21 @@ test_expect_success 'push status output scrubs password' '
        grep "^To $HTTPD_URL/smart/test_repo.git" status
 '
 
+test_expect_success 'clone/fetch scrubs password from reflogs' '
+       cd "$ROOT_PATH" &&
+       git clone "$HTTPD_URL_USER_PASS/smart/test_repo.git" \
+               reflog-test &&
+       cd reflog-test &&
+       test_commit prepare-for-force-fetch &&
+       git switch -c away &&
+       git fetch "$HTTPD_URL_USER_PASS/smart/test_repo.git" \
+               +master:master &&
+       # should have been scrubbed down to vanilla URL
+       git log -g master >reflog &&
+       grep "$HTTPD_URL" reflog &&
+       ! grep "$HTTPD_URL_USER_PASS" reflog
+'
+
 test_expect_success 'colorize errors/hints' '
        cd "$ROOT_PATH"/test_repo_clone &&
        test_must_fail git -c color.transport=always -c color.advice=always \