Strip out credentials from git URIs if they are present (#1083)

andrian-sevastyanov · web-flow · commit 85f5ba66db60 · 2024-04-04T13:16:37.000-06:00
* Strip out credentials from git URIs if they are present

* Provide example URL in a comment
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/GitUrlParser.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/GitUrlParser.java
@@ -0,0 +1,45 @@
+package com.synopsys.integration.detectable.detectables.git;
+
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.apache.commons.lang3.StringUtils;
+
+public class GitUrlParser {
+    // Parses urls such as: https://github.com/blackducksoftware/synopsys-detect
+    public String getRepoName(String remoteUrlString) throws MalformedURLException {
+        String[] pieces = remoteUrlString.split("[/:]");
+        if (pieces.length >= 2) {
+            String organization = pieces[pieces.length - 2];
+            String repo = pieces[pieces.length - 1];
+            String name = String.format("%s/%s", organization, repo);
+            return StringUtils.removeEnd(StringUtils.removeStart(name, "/"), ".git");
+        } else {
+            throw new MalformedURLException("Failed to extract repository name from url. Not logging url for security.");
+        }
+    }
+
+    /**
+     * Strip out credentials if the string is a URI and contains credentials.
+     * 
+     * For example, a URL such as https://user:pass@synopsys.com/some/repo will become https://synopsys.com/some/repo
+     * 
+     * @param remoteUrlString
+     * @return sanitized URI or original string
+     */
+    public String removeCredentialsFromUri(String remoteUrlString) {
+        if (remoteUrlString != null) {
+            try {
+                URI uri = new URI(remoteUrlString);
+                String userInfo = uri.getUserInfo();
+                if (userInfo != null) {
+                    remoteUrlString = remoteUrlString.replace(userInfo + "@", "");
+                }
+            } catch (URISyntaxException e) {
+                // this is not a valid URI, so we will not attempt to remove credentials
+            }
+        }
+        return remoteUrlString;
+    }    
+}
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/cli/GitCliExtractor.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/cli/GitCliExtractor.java
@@ -8,6 +8,7 @@
 
 import com.synopsys.integration.blackduck.bdio2.model.GitInfo;
 import com.synopsys.integration.detectable.ExecutableTarget;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.extraction.Extraction;
 import com.synopsys.integration.detectable.extraction.ExtractionMetadata;
 import com.synopsys.integration.detectable.util.ToolVersionLogger;
@@ -36,6 +37,7 @@ public Extraction extract(ExecutableTarget gitExecutable, File directory) {
             toolVersionLogger.log(directory, gitExecutable);
 
             String remoteUrl = gitCommandRunner.getRepoUrl(gitExecutable, directory);
+            remoteUrl = gitUrlParser.removeCredentialsFromUri(remoteUrl);
             String repoName = gitUrlParser.getRepoName(remoteUrl);
 
             Optional<String> branch = Optional.ofNullable(gitCommandRunner.getRepoBranch(gitExecutable, directory));
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/cli/GitUrlParser.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/cli/GitUrlParser.java
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/parsing/GitParseExtractor.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/parsing/GitParseExtractor.java
@@ -14,6 +14,7 @@
 import org.slf4j.LoggerFactory;
 
 import com.synopsys.integration.blackduck.bdio2.model.GitInfo;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfig;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfigResult;
 import com.synopsys.integration.detectable.detectables.git.parsing.parse.GitConfigNameVersionTransformer;
@@ -30,11 +31,13 @@ public class GitParseExtractor {
     private final GitFileParser gitFileParser;
     private final GitConfigNameVersionTransformer gitConfigExtractor;
     private final GitConfigNodeTransformer gitConfigNodeTransformer;
+    private final GitUrlParser gitUrlParser;
 
-    public GitParseExtractor(GitFileParser gitFileParser, GitConfigNameVersionTransformer gitConfigExtractor, GitConfigNodeTransformer gitConfigNodeTransformer) {
+    public GitParseExtractor(GitFileParser gitFileParser, GitConfigNameVersionTransformer gitConfigExtractor, GitConfigNodeTransformer gitConfigNodeTransformer, GitUrlParser gitUrlParser) {
         this.gitFileParser = gitFileParser;
         this.gitConfigExtractor = gitConfigExtractor;
         this.gitConfigNodeTransformer = gitConfigNodeTransformer;
+        this.gitUrlParser = gitUrlParser;
     }
 
     public final Extraction extract(@Nullable File gitConfigFile, @Nullable File gitHeadFile, @Nullable File gitOriginHeadFile) {
@@ -58,7 +61,7 @@ public final Extraction extract(@Nullable File gitConfigFile, @Nullable File git
             String headCommitHash = StringUtils.trimToNull(readFileToStringSafetly(gitOriginHeadFile));
 
             GitInfo gitInfo = new GitInfo(
-                gitConfigResult.getRemoteUrl(),
+                gitUrlParser.removeCredentialsFromUri(gitConfigResult.getRemoteUrl()),
                 headCommitHash,
                 gitConfigResult.getBranch().orElse(null)
             );
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/parsing/parse/GitConfigNameVersionTransformer.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/git/parsing/parse/GitConfigNameVersionTransformer.java
@@ -10,7 +10,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfig;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfigBranch;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfigRemote;
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/swift/cli/SwiftPackageTransformer.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/swift/cli/SwiftPackageTransformer.java
@@ -9,7 +9,7 @@
 import com.synopsys.integration.bdio.model.dependency.Dependency;
 import com.synopsys.integration.bdio.model.externalid.ExternalId;
 import com.synopsys.integration.detectable.detectable.codelocation.CodeLocation;
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.swift.cli.model.SwiftPackage;
 
 public class SwiftPackageTransformer {
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/detectables/swift/lock/transform/PackageResolvedTransformer.java b/detectable/src/main/java/com/synopsys/integration/detectable/detectables/swift/lock/transform/PackageResolvedTransformer.java
@@ -13,7 +13,7 @@
 import com.synopsys.integration.bdio.graph.DependencyGraph;
 import com.synopsys.integration.bdio.model.Forge;
 import com.synopsys.integration.bdio.model.dependency.Dependency;
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.swift.lock.data.PackageState;
 import com.synopsys.integration.detectable.detectables.swift.lock.data.ResolvedPackage;
 
diff --git a/detectable/src/main/java/com/synopsys/integration/detectable/factory/DetectableFactory.java b/detectable/src/main/java/com/synopsys/integration/detectable/factory/DetectableFactory.java
@@ -131,9 +131,9 @@
 import com.synopsys.integration.detectable.detectables.docker.parser.DockerInspectorResultsFileParser;
 import com.synopsys.integration.detectable.detectables.git.GitCliDetectable;
 import com.synopsys.integration.detectable.detectables.git.GitParseDetectable;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.git.cli.GitCliExtractor;
 import com.synopsys.integration.detectable.detectables.git.cli.GitCommandRunner;
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.git.parsing.GitParseExtractor;
 import com.synopsys.integration.detectable.detectables.git.parsing.parse.GitConfigNameVersionTransformer;
 import com.synopsys.integration.detectable.detectables.git.parsing.parse.GitConfigNodeTransformer;
@@ -808,7 +808,7 @@ private GitConfigNodeTransformer gitConfigNodeTransformer() {
     }
 
     private GitParseExtractor gitParseExtractor() {
-        return new GitParseExtractor(gitFileParser(), gitConfigNameVersionTransformer(), gitConfigNodeTransformer());
+        return new GitParseExtractor(gitFileParser(), gitConfigNameVersionTransformer(), gitConfigNodeTransformer(), gitUrlParser());
     }
 
     private GitUrlParser gitUrlParser() {
diff --git a/detectable/src/test/java/com/synopsys/integration/detectable/detectables/git/unit/GitConfigNameVersionTransformerTest.java b/detectable/src/test/java/com/synopsys/integration/detectable/detectables/git/unit/GitConfigNameVersionTransformerTest.java
@@ -11,7 +11,7 @@
 
 import org.junit.jupiter.api.Test;
 
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfig;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfigBranch;
 import com.synopsys.integration.detectable.detectables.git.parsing.model.GitConfigRemote;
diff --git a/detectable/src/test/java/com/synopsys/integration/detectable/detectables/git/unit/GitUrlParserTest.java b/detectable/src/test/java/com/synopsys/integration/detectable/detectables/git/unit/GitUrlParserTest.java
@@ -5,11 +5,11 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 
 class GitUrlParserTest {
     @Test
-    void sshUrl() throws MalformedURLException {
+    void testGetRepoName_sshUrl() throws MalformedURLException {
         GitUrlParser gitUrlParser = new GitUrlParser();
         final String remoteUrl = "ssh://user@synopsys.com:12345/blackducksoftware/synopsys-detect";
         String repoName = gitUrlParser.getRepoName(remoteUrl);
@@ -18,7 +18,7 @@ void sshUrl() throws MalformedURLException {
     }
 
     @Test
-    void gitUrl() throws MalformedURLException {
+    void testGetRepoName_gitUrl() throws MalformedURLException {
         GitUrlParser gitUrlParser = new GitUrlParser();
         final String remoteUrl = "git://git.yoctoproject.org/poky.git";
         String repoName = gitUrlParser.getRepoName(remoteUrl);
@@ -27,7 +27,7 @@ void gitUrl() throws MalformedURLException {
     }
 
     @Test
-    void gitAtUrl() throws MalformedURLException {
+    void testGetRepoName_gitAtUrl() throws MalformedURLException {
         GitUrlParser gitUrlParser = new GitUrlParser();
         final String remoteUrl = "git@github.com:blackducksoftware/synopsys-detect.git";
         String repoName = gitUrlParser.getRepoName(remoteUrl);
@@ -36,7 +36,7 @@ void gitAtUrl() throws MalformedURLException {
     }
 
     @Test
-    void httpsUrl() throws MalformedURLException {
+    void testGetRepoName_httpsUrl() throws MalformedURLException {
         GitUrlParser gitUrlParser = new GitUrlParser();
         final String remoteUrl = "https://github.com/blackducksoftware/synopsys-detect";
         String repoName = gitUrlParser.getRepoName(remoteUrl);
@@ -45,11 +45,47 @@ void httpsUrl() throws MalformedURLException {
     }
 
     @Test
-    void httpsEncodedUsernamePasswordUrl() throws MalformedURLException {
+    void testGetRepoName_httpsEncodedUsernamePasswordUrl() throws MalformedURLException {
         GitUrlParser gitUrlParser = new GitUrlParser();
         final String remoteUrl = "https://USERNAME:PASSWORD@SERVER/test/path/to/blackducksoftware/synopsys-detect.git";
         String repoName = gitUrlParser.getRepoName(remoteUrl);
 
         Assertions.assertEquals("blackducksoftware/synopsys-detect", repoName);
     }
-}
+
+    @Test
+    void testRemoveCredentialsFromUrl_nonUri() {
+        GitUrlParser gitUrlParser = new GitUrlParser();
+        final String remoteUrl = "git@github.com:blackducksoftware/synopsys-detect.git";
+        String sanitized = gitUrlParser.removeCredentialsFromUri(remoteUrl);
+
+        Assertions.assertEquals(remoteUrl, sanitized);
+    }
+
+    @Test
+    void testRemoveCredentialsFromUrl_sshUri() {
+        GitUrlParser gitUrlParser = new GitUrlParser();
+        final String remoteUrl = "ssh://user@synopsys.com:12345/blackducksoftware/synopsys-detect";
+        String sanitized = gitUrlParser.removeCredentialsFromUri(remoteUrl);
+
+        Assertions.assertEquals("ssh://synopsys.com:12345/blackducksoftware/synopsys-detect", sanitized);
+    }
+
+    @Test
+    void testRemoveCredentialsFromUrl_httpsWithCredentials() {
+        GitUrlParser gitUrlParser = new GitUrlParser();
+        final String remoteUrl = "https://user:pass@github.com/blackducksoftware/synopsys-detect.git";
+        String sanitized = gitUrlParser.removeCredentialsFromUri(remoteUrl);
+
+        Assertions.assertEquals("https://github.com/blackducksoftware/synopsys-detect.git", sanitized);
+    }
+
+    @Test
+    void testRemoveCredentialsFromUrl_httpsWithoutCredentials() {
+        GitUrlParser gitUrlParser = new GitUrlParser();
+        final String remoteUrl = "https://github.com/blackducksoftware/synopsys-detect.git";
+        String sanitized = gitUrlParser.removeCredentialsFromUri(remoteUrl);
+
+        Assertions.assertEquals(remoteUrl, sanitized);
+    }
+}
diff --git a/detectable/src/test/java/com/synopsys/integration/detectable/detectables/swift/lock/transform/PackageResolvedTransformerTest.java b/detectable/src/test/java/com/synopsys/integration/detectable/detectables/swift/lock/transform/PackageResolvedTransformerTest.java
@@ -14,7 +14,7 @@
 import com.synopsys.integration.bdio.graph.DependencyGraph;
 import com.synopsys.integration.bdio.model.Forge;
 import com.synopsys.integration.bdio.model.externalid.ExternalId;
-import com.synopsys.integration.detectable.detectables.git.cli.GitUrlParser;
+import com.synopsys.integration.detectable.detectables.git.GitUrlParser;
 import com.synopsys.integration.detectable.detectables.swift.lock.data.PackageResolvedFormat;
 import com.synopsys.integration.detectable.detectables.swift.lock.data.PackageState;
 import com.synopsys.integration.detectable.detectables.swift.lock.data.ResolvedPackage;
