Page MenuHomeSoftware Heritage
Differential D7843

origin_save: Reject save request when origin URL contains a password
ClosedPublic
Actions

Authored by anlambert on May 17 2022, 5:34 PM.

Details

Reviewers
vlorentz
Group Reviewers
Reviewers
Maniphest Tasks
T4240: Do not accept save requests with credentials leaked in the origin URL
Commits
rDWAPPSf2d6fec278db: origin_save: Reject save request when origin URL contains a password
Summary

For obvious security reasons, do not accept a Save Code Now request
for an origin URL containing a password in it as the list of submitted
requests are publicly browsable from the Web UI.

Nevertheless accept origin URLs with anonymous credentials (CVS ones
for instance).

Related to T4240

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.May 17 2022, 5:34 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptMay 17 2022, 5:34 PM
swh-public-ci added a comment.May 17 2022, 5:57 PM

Build has FAILED

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1845/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1845/console

Harbormaster returned this revision to the author for changes because remote builds failed.May 17 2022, 5:57 PM
Harbormaster failed remote builds in B29440: Diff 28336!
swh-public-ci added a comment.May 17 2022, 6:10 PM

Build has FAILED

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

Link to build: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1846/
See console output for more information: https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1846/console

swh-public-ci added a comment.May 17 2022, 7:49 PM

Build is green

Patch application report for D7843 (id=28336)

Rebasing onto f65bb5bc84...

Current branch diff-target is up to date.
Changes applied before test
commit f2d6fec278db0f5d045293343019ac8a95b2e3af
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Tue May 17 17:29:11 2022 +0200

    origin_save: Reject save request when origin URL contains a password
    
    For obvious security reasons, do not accept a Save Code Now request
    for an origin URL containing a password in it as the list of submitted
    requests are publicly browsable from the Web UI.
    
    Nevertheless accept origin URLs with anonymous credentials (CVS ones
    for instance).
    
    Related to T4240

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1847/ for more details.

Harbormaster completed remote builds in B29440: Diff 28336.May 17 2022, 7:49 PM
anlambert requested review of this revision.May 17 2022, 7:49 PM
vlorentz accepted this revision.May 18 2022, 11:09 AM
This revision is now accepted and ready to land.May 18 2022, 11:09 AM
Closed by commit rDWAPPSf2d6fec278db: origin_save: Reject save request when origin URL contains a password (authored by anlambert). · Explain WhyMay 18 2022, 11:12 AM
This revision was automatically updated to reflect the committed changes.
anlambert added a commit: rDWAPPSf2d6fec278db: origin_save: Reject save request when origin URL contains a password.

Revision Contents
Changeset List

PathSize
assets/
src/
bundles/
save/
9 lines
cypress/
integration/
69 lines
swh/
web/
common/
10 lines
tests/
api/
views/
52 lines

Diff 28340

View Options

assets/src/bundles/save/index.js

Loading...
View Options

cypress/integration/origin-save.spec.js

Loading...
View Options

swh/web/common/origin_save.py

Loading...
View Options

swh/web/tests/api/views/test_origin_save.py

Loading...
About · Developer information · Legal