From f0775861ad43afece177c6dda846631cf4537752 Mon Sep 17 00:00:00 2001 From: Christian Ihle Date: Tue, 17 Jan 2023 14:37:42 +0100 Subject: [PATCH] Validate that bearer token is not used over http Signed-off-by: Christian Ihle --- git/gogit/client.go | 9 ++++++--- git/gogit/client_test.go | 28 +++++++++++++++++++++++++--- git/gogit/clone_test.go | 20 +++++++++++++++++--- 3 files changed, 48 insertions(+), 9 deletions(-) diff --git a/git/gogit/client.go b/git/gogit/client.go index 3054ed358..1577d6ef4 100644 --- a/git/gogit/client.go +++ b/git/gogit/client.go @@ -254,9 +254,12 @@ func (g *Client) validateUrl(u string) error { return errors.New("URL cannot contain credentials when using HTTP") } - if httpOrEmpty && g.authOpts != nil && - (g.authOpts.Username != "" || g.authOpts.Password != "") { - return errors.New("basic auth cannot be sent over HTTP") + if httpOrEmpty && g.authOpts != nil { + if g.authOpts.Username != "" || g.authOpts.Password != "" { + return errors.New("basic auth cannot be sent over HTTP") + } else if g.authOpts.BearerToken != "" { + return errors.New("bearer token cannot be sent over HTTP") + } } return nil diff --git a/git/gogit/client_test.go b/git/gogit/client_test.go index f0d691e07..c4b7afe6c 100644 --- a/git/gogit/client_test.go +++ b/git/gogit/client_test.go @@ -660,6 +660,7 @@ func TestValidateUrl(t *testing.T) { transport git.TransportType username string password string + bearerToken string url string credentialsOverHttp bool expectedError string @@ -687,6 +688,26 @@ func TestValidateUrl(t *testing.T) { password: "pass", url: "https://url", }, + { + name: "blocked: bearer token over http", + transport: git.HTTP, + bearerToken: "token", + url: "http://url", + expectedError: "bearer token cannot be sent over HTTP", + }, + { + name: "allowed: bearer token over http with insecure enabled", + transport: git.HTTP, + bearerToken: "token", + url: "http://url", + credentialsOverHttp: true, + }, + { + name: "allowed: bearer token over https", + transport: git.HTTPS, + bearerToken: "token", + url: "https://url", + }, } for _, tt := range tests { @@ -699,9 +720,10 @@ func TestValidateUrl(t *testing.T) { } ggc, err := NewClient(t.TempDir(), &git.AuthOptions{ - Transport: tt.transport, - Username: tt.username, - Password: tt.password, + Transport: tt.transport, + Username: tt.username, + Password: tt.password, + BearerToken: tt.bearerToken, }, opts...) g.Expect(err).ToNot(HaveOccurred()) diff --git a/git/gogit/clone_test.go b/git/gogit/clone_test.go index 90cdc3986..de2b4e3e2 100644 --- a/git/gogit/clone_test.go +++ b/git/gogit/clone_test.go @@ -988,6 +988,7 @@ func TestClone_CredentialsOverHttp(t *testing.T) { name string username string password string + bearerToken string allowCredentialsOverHttp bool transformURL func(string) string expectCloneErr string @@ -1009,6 +1010,11 @@ func TestClone_CredentialsOverHttp(t *testing.T) { password: "pass", expectCloneErr: "basic auth cannot be sent over HTTP", }, + { + name: "blocked: bearer token over HTTP", + bearerToken: "token", + expectCloneErr: "bearer token cannot be sent over HTTP", + }, { name: "blocked: URL based credential over HTTP (name)", transformURL: func(s string) string { @@ -1069,6 +1075,13 @@ func TestClone_CredentialsOverHttp(t *testing.T) { allowCredentialsOverHttp: true, expectRequest: true, }, + { + name: "allowed: bearer token over HTTP", + bearerToken: "token", + expectCloneErr: "unable to clone", + allowCredentialsOverHttp: true, + expectRequest: true, + }, { name: "allowed: URL based credential over HTTP (name)", transformURL: func(s string) string { @@ -1129,9 +1142,10 @@ func TestClone_CredentialsOverHttp(t *testing.T) { } ggc, err := NewClient(tmpDir, &git.AuthOptions{ - Transport: git.HTTP, - Username: tt.username, - Password: tt.password, + Transport: git.HTTP, + Username: tt.username, + Password: tt.password, + BearerToken: tt.bearerToken, }, opts...) g.Expect(err).ToNot(HaveOccurred())