Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide password when supplying basic credentials #432

Closed
felipecrs opened this issue Aug 30, 2021 · 5 comments · Fixed by #436
Closed

Hide password when supplying basic credentials #432

felipecrs opened this issue Aug 30, 2021 · 5 comments · Fixed by #436
Labels
bug A bug in Git Credential Manager platform:linux Specific to a Linux-based platform

Comments

@felipecrs
Copy link
Contributor

felipecrs commented Aug 30, 2021
edited
Loading

Currently, the following happens:

$ git-credential-manager-core --version
2.0.498+7ad55fb809
$ git config credential.helper
/usr/bin/git-credential-manager-core
$ git clone https://review.gerrithub.io/a/felipecrs/gerrit-jenkins-test
Cloning into 'gerrit-jenkins-test'...
Enter basic credentials for 'https://review.gerrithub.io/':
Username: felipecrs
Password: test1234

Ideally, the password should be hidden.
@mjcheetham
Copy link
Collaborator

mjcheetham commented Sep 1, 2021
edited
Loading

Hmm.. how strange. For all platform we try and disable echoing of typed characters in the password field.

See PosixTerminal and WindowsTerminal

A couple of questions for you:

  1. Are you running on Windows, macOS, or Linux?
  2. Which terminal application and which shell are you using?

Can you also please try this again, but set the GCM_TRACE environment variable to an absolute file path, and attach the resulting log?

$ GCM_TRACE=/tmp/gcm.log git clone https://review.gerrithub.io/a/felipecrs/gerrit-jenkins-test

You should see some lines about setting echo state of the terminal.

On my machine (macOS with Terminal.app and bash) I see the following (password is not being echoed):

image

@mjcheetham mjcheetham added bug A bug in Git Credential Manager host:generic Specific to the generic (basic/WIA) host provider labels Sep 1, 2021
@felipecrs
Copy link
Contributor Author

felipecrs commented Sep 1, 2021
edited
Loading

I was able to reproduce this in all the scenarios I tested:

  • Ubuntu 20.04 on WSL2 through Windows Terminal (and WSLg)
  • Gnome Terminal on Ubuntu 18.04
  • VS Code integrated terminal on Ubuntu 18.04

All using secretService as credentialStore. All using ZSH (but I just tested with Bash and the same happens).

gcm.log

Indeed, there are some references about echo.

    10:40:22.825863 ...er/Application.cs:80 trace: [RunInternalAsync] Version: 2.0.498.54650
  10:40:22.826110 ...er/Application.cs:81 trace: [RunInternalAsync] Runtime: .NET 5.0.6
  10:40:22.826128 ...er/Application.cs:82 trace: [RunInternalAsync] Platform: Linux (x86-64)
  10:40:22.826169 ...er/Application.cs:83 trace: [RunInternalAsync] AppPath: /usr/bin/git-credential-manager-core
  10:40:22.826195 ...er/Application.cs:84 trace: [RunInternalAsync] Arguments: get
  10:40:22.915722 ...GitCommandBase.cs:35 trace: [ExecuteAsync] Start 'get' command...
  10:40:22.922713 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Detecting host provider for input:
  10:40:22.923756 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	protocol=https
  10:40:22.923771 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	host=review.gerrithub.io
  10:40:22.934730 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
  10:40:22.936033 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
  10:40:22.937000 ...viderRegistry.cs:154 trace: [GetProviderAsync] Querying remote URL for host provider auto-detection.
  10:40:22.938062 ...pClientFactory.cs:54 trace: [CreateClient] Creating new HTTP client instance...
  10:40:23.760056 ...etHostProvider.cs:72 trace: [IsSupported] Host isn't supported as Bitbucket
  10:40:23.760526 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 1 host providers registered with priority 'Low'.
  10:40:23.760651 ...GitCommandBase.cs:52 trace: [ExecuteAsync] Host provider 'Generic' was selected.
  10:40:23.761816 .../HostProvider.cs:128 trace: [GetCredentialAsync] Looking for existing credential in store with service=https://review.gerrithub.io account=...
  10:40:25.624350 .../HostProvider.cs:133 trace: [GetCredentialAsync] No existing credentials found.
  10:40:25.624419 .../HostProvider.cs:136 trace: [GetCredentialAsync] Creating new credential...
  10:40:25.675582 ...icHostProvider.cs:78 trace: [GenerateCredentialAsync] Skipping check for Windows Integrated Authentication on Linux.
  10:40:25.675610 ...icHostProvider.cs:86 trace: [GenerateCredentialAsync] Prompting for basic credentials...
  10:40:25.681340 ...PosixTerminal.cs:150 trace: [.ctor] Setting terminal echo state to 'True'
  10:40:30.348861 ...PosixTerminal.cs:150 trace: [.ctor] Setting terminal echo state to 'False'
  10:40:32.809223 .../HostProvider.cs:138 trace: [GetCredentialAsync] Credential created.
  10:40:32.809986 ...GitCommandBase.cs:56 trace: [ExecuteAsync] End 'get' command...
  10:40:33.561617 ...er/Application.cs:80 trace: [RunInternalAsync] Version: 2.0.498.54650
  10:40:33.562002 ...er/Application.cs:81 trace: [RunInternalAsync] Runtime: .NET 5.0.6
  10:40:33.562023 ...er/Application.cs:82 trace: [RunInternalAsync] Platform: Linux (x86-64)
  10:40:33.562071 ...er/Application.cs:83 trace: [RunInternalAsync] AppPath: /usr/bin/git-credential-manager-core
  10:40:33.562098 ...er/Application.cs:84 trace: [RunInternalAsync] Arguments: erase
  10:40:33.615735 ...GitCommandBase.cs:35 trace: [ExecuteAsync] Start 'erase' command...
  10:40:33.622153 ...GitCommandBase.cs:49 trace: [ExecuteAsync] Detecting host provider for input:
  10:40:33.623119 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	protocol=https
  10:40:33.623134 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	host=review.gerrithub.io
  10:40:33.623138 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	username=felipecrs
  10:40:33.623141 ...GitCommandBase.cs:50 trace: [ExecuteAsync] 	password=********
  10:40:33.633842 ...viderRegistry.cs:149 trace: [GetProviderAsync] Performing auto-detection of host provider.
  10:40:33.634907 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 3 host providers registered with priority 'Normal'.
  10:40:33.635787 ...viderRegistry.cs:154 trace: [GetProviderAsync] Querying remote URL for host provider auto-detection.
  10:40:33.636851 ...pClientFactory.cs:54 trace: [CreateClient] Creating new HTTP client instance...
  10:40:34.653680 ...etHostProvider.cs:72 trace: [IsSupported] Host isn't supported as Bitbucket
  10:40:34.654190 ...viderRegistry.cs:162 trace: [GetProviderAsync] Checking against 1 host providers registered with priority 'Low'.
  10:40:34.654337 ...GitCommandBase.cs:52 trace: [ExecuteAsync] Host provider 'Generic' was selected.
  10:40:34.654619 .../HostProvider.cs:175 trace: [EraseCredentialAsync] Erasing stored credential in store with service=https://review.gerrithub.io account=felipecrs...
  10:40:34.679044 .../HostProvider.cs:182 trace: [EraseCredentialAsync] No credential was erased.
  10:40:34.679083 ...GitCommandBase.cs:56 trace: [ExecuteAsync] End 'erase' command...

@mjcheetham mjcheetham added platform:linux Specific to a Linux-based platform and removed host:generic Specific to the generic (basic/WIA) host provider labels Sep 2, 2021
@mjcheetham mjcheetham mentioned this issue Sep 2, 2021
Merged
@mjcheetham
Copy link
Collaborator

mjcheetham commented Sep 3, 2021
edited
Loading

Hi @felipecrs,

I've identified the problem (native struct termios alignment issues), and a fix has been made (#436). It will go out in the next release of GCM!

Thanks for reporting this :)

@felipecrs
Copy link
Contributor Author

That's awesome! Thank you very much. :)

@erik-mansson
Copy link

I noticed this (that git no longer hides passwords but shows them in plaintext) recently, on Linux Mint Debian Edition with gnome-terminal (its --version says "3.30.2 using VTE 0.54.2 +GNUTLS"). Password prompts used to be hidden (and still are for non-git stuff). It is possible that I experienced the issue because this was the first time I worked on a non-github repository after GitHub made me install something to support better authentication (possibly gcmcore) a few months ago.

Initially I had gcmcore 2.0.475.64295 and hoped that downloading and installing the latest .deb package would include your fix. But it is still there with 2.0.498.54650. Could you please clarify if "next release" means that I have to wait for something like version 2.1?

I attach my gcm.log by enabling the GCM_TRACE as requested above. I called git-credential-manager-core --version once before git pull. The log file has been edited to replace domain- and usernames. Let me know if I can provide any further information (if the bug was supposed to have been solved in the version I downloaded).

@mjcheetham mjcheetham mentioned this issue Oct 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A bug in Git Credential Manager platform:linux Specific to a Linux-based platform
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Split macOS and Linux implementations and fix password echo bug mjcheetham/git-credential-manager
3 participants
@mjcheetham @erik-mansson @felipecrs