do not pass cred on command line (#108)

2025-10-31 13:58:09 +08:00 · 2019-12-12 14:04:04 -05:00
parent c170eefc26
commit a6747255bd
2 changed files with 43 additions and 10 deletions
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -259,14 +259,34 @@ async function configureAuthToken(
  git: IGitCommandManager,
  authToken: string
 ): Promise<void> {
-  // Add extraheader (auth)
-  const base64Credentials = Buffer.from(
+  // Configure a placeholder value. This approach avoids the credential being captured
+  // by process creation audit events, which are commonly logged. For more information,
+  // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+  const placeholder = `AUTHORIZATION: basic ***`
+  await git.config(authConfigKey, placeholder)
+
+  // Determine the basic credential value
+  const basicCredential = Buffer.from(
    `x-access-token:${authToken}`,
    'utf8'
  ).toString('base64')
-  core.setSecret(base64Credentials)
-  const authConfigValue = `AUTHORIZATION: basic ${base64Credentials}`
-  await git.config(authConfigKey, authConfigValue)
+  core.setSecret(basicCredential)
+
+  // Replace the value in the config file
+  const configPath = path.join(git.getWorkingDirectory(), '.git', 'config')
+  let content = (await fs.promises.readFile(configPath)).toString()
+  const placeholderIndex = content.indexOf(placeholder)
+  if (
+    placeholderIndex < 0 ||
+    placeholderIndex != content.lastIndexOf(placeholder)
+  ) {
+    throw new Error('Unable to replace auth placeholder in .git/config')
+  }
+  content = content.replace(
+    placeholder,
+    `AUTHORIZATION: basic ${basicCredential}`
+  )
+  await fs.promises.writeFile(configPath, content)
 }

 async function removeGitConfig(