http: support cookie redaction when tracing
authorJonathan Tan <jonathantanmy@google.com>
Fri, 19 Jan 2018 00:28:01 +0000 (16:28 -0800)
committerJunio C Hamano <gitster@pobox.com>
Fri, 19 Jan 2018 21:06:50 +0000 (13:06 -0800)
When using GIT_TRACE_CURL, Git already redacts the "Authorization:" and
"Proxy-Authorization:" HTTP headers. Extend this redaction to a
user-specified list of cookies, specified through the
"GIT_REDACT_COOKIES" environment variable.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Documentation/git.txt
http.c
t/t5551-http-fetch-smart.sh

index 3f4161a..5446d21 100644 (file)
@@ -646,6 +646,12 @@ of clones and fetches.
        variable.
        See `GIT_TRACE` for available trace output options.
 
+`GIT_REDACT_COOKIES`::
+       This can be set to a comma-separated list of strings. When a curl trace
+       is enabled (see `GIT_TRACE_CURL` above), whenever a "Cookies:" header
+       sent by the client is dumped, values of cookies whose key is in that
+       list (case-sensitive) are redacted.
+
 `GIT_LITERAL_PATHSPECS`::
        Setting this variable to `1` will cause Git to treat all
        pathspecs literally, rather than as glob patterns. For example,
diff --git a/http.c b/http.c
index 5977712..088cf70 100644 (file)
--- a/http.c
+++ b/http.c
 #include "transport.h"
 #include "packfile.h"
 #include "protocol.h"
+#include "string-list.h"
 
 static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
+static struct string_list cookies_to_redact = STRING_LIST_INIT_DUP;
 #if LIBCURL_VERSION_NUM >= 0x070a08
 long int git_curl_ipresolve = CURL_IPRESOLVE_WHATEVER;
 #else
@@ -575,6 +577,54 @@ static void redact_sensitive_header(struct strbuf *header)
                /* Everything else is opaque and possibly sensitive */
                strbuf_setlen(header,  sensitive_header - header->buf);
                strbuf_addstr(header, " <redacted>");
+       } else if (cookies_to_redact.nr &&
+                  skip_prefix(header->buf, "Cookie:", &sensitive_header)) {
+               struct strbuf redacted_header = STRBUF_INIT;
+               char *cookie;
+
+               while (isspace(*sensitive_header))
+                       sensitive_header++;
+
+               /*
+                * The contents of header starting from sensitive_header will
+                * subsequently be overridden, so it is fine to mutate this
+                * string (hence the assignment to "char *").
+                */
+               cookie = (char *) sensitive_header;
+
+               while (cookie) {
+                       char *equals;
+                       char *semicolon = strstr(cookie, "; ");
+                       if (semicolon)
+                               *semicolon = 0;
+                       equals = strchrnul(cookie, '=');
+                       if (!equals) {
+                               /* invalid cookie, just append and continue */
+                               strbuf_addstr(&redacted_header, cookie);
+                               continue;
+                       }
+                       *equals = 0; /* temporarily set to NUL for lookup */
+                       if (string_list_lookup(&cookies_to_redact, cookie)) {
+                               strbuf_addstr(&redacted_header, cookie);
+                               strbuf_addstr(&redacted_header, "=<redacted>");
+                       } else {
+                               *equals = '=';
+                               strbuf_addstr(&redacted_header, cookie);
+                       }
+                       if (semicolon) {
+                               /*
+                                * There are more cookies. (Or, for some
+                                * reason, the input string ends in "; ".)
+                                */
+                               strbuf_addstr(&redacted_header, "; ");
+                               cookie = semicolon + strlen("; ");
+                       } else {
+                               cookie = NULL;
+                       }
+               }
+
+               strbuf_setlen(header, sensitive_header - header->buf);
+               strbuf_addbuf(header, &redacted_header);
        }
 }
 
@@ -807,6 +857,11 @@ static CURL *get_curl_handle(void)
        if (getenv("GIT_CURL_VERBOSE"))
                curl_easy_setopt(result, CURLOPT_VERBOSE, 1L);
        setup_curl_trace(result);
+       if (getenv("GIT_REDACT_COOKIES")) {
+               string_list_split(&cookies_to_redact,
+                                 getenv("GIT_REDACT_COOKIES"), ',', -1);
+               string_list_sort(&cookies_to_redact);
+       }
 
        curl_easy_setopt(result, CURLOPT_USERAGENT,
                user_agent ? user_agent : git_user_agent());
index a51b7e2..21a5ce8 100755 (executable)
@@ -364,5 +364,26 @@ test_expect_success 'custom http headers' '
                submodule update sub
 '
 
+test_expect_success 'GIT_REDACT_COOKIES redacts cookies' '
+       rm -rf clone &&
+       echo "Set-Cookie: Foo=1" >cookies &&
+       echo "Set-Cookie: Bar=2" >>cookies &&
+       GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Bar,Baz \
+               git -c "http.cookieFile=$(pwd)/cookies" clone \
+               $HTTPD_URL/smart/repo.git clone 2>err &&
+       grep "Cookie:.*Foo=1" err &&
+       grep "Cookie:.*Bar=<redacted>" err &&
+       ! grep "Cookie:.*Bar=2" err
+'
+
+test_expect_success 'GIT_REDACT_COOKIES handles empty values' '
+       rm -rf clone &&
+       echo "Set-Cookie: Foo=" >cookies &&
+       GIT_TRACE_CURL=true GIT_REDACT_COOKIES=Foo \
+               git -c "http.cookieFile=$(pwd)/cookies" clone \
+               $HTTPD_URL/smart/repo.git clone 2>err &&
+       grep "Cookie:.*Foo=<redacted>" err
+'
+
 stop_httpd
 test_done