Avoid exposing password and token from git repositories (#105220)

Try to detect if the git remote URL has a password or a Github token and return an error teaching the user how to avoid leaking their password or token.
2024-09-11 09:57:22 -03:00 · 2024-09-11 09:57:22 -03:00 · 5904448ceb
commit 5904448ceb
parent 99a2354993
1 changed files with 24 additions and 0 deletions
--- a/llvm/cmake/modules/VersionFromVCS.cmake
+++ b/llvm/cmake/modules/VersionFromVCS.cmake
@ -39,6 +39,30 @@ function(get_source_info path revision repository)
        OUTPUT_VARIABLE git_output
        ERROR_QUIET)
      if(git_result EQUAL 0)
+        # Passwords or tokens should not be stored in the remote URL at the
+        # risk of being leaked. In case we find one, error out and teach the
+        # user the best practices.
+        string(REGEX MATCH "https?://[^/]*:[^/]*@.*"
+          http_password "${git_output}")
+        if(http_password)
+          message(SEND_ERROR "The git remote repository URL has an embedded \
+password. Remove the password from the URL or use \
+`-DLLVM_FORCE_VC_REPOSITORY=<URL without password>` in order to avoid \
+leaking your password (see https://git-scm.com/docs/gitcredentials for \
+alternatives).")
+        endif()
+        # GitHub token formats are described at:
+        # https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
+        string(REGEX MATCH
+          "https?://(gh[pousr]|github_pat)_[^/]+@github.com.*"
+          github_token "${git_output}")
+        if(github_token)
+          message(SEND_ERROR "The git remote repository URL has an embedded \
+GitHub Token. Remove the token from the URL or use \
+`-DLLVM_FORCE_VC_REPOSITORY=<URL without token>` in order to avoid leaking \
+your token (see https://git-scm.com/docs/gitcredentials for alternatives).")
+        endif()
+
        string(STRIP "${git_output}" git_output)
        set(${repository} ${git_output} PARENT_SCOPE)
      else()