Conversation
Signed-off-by: Isaac Milarsky <imilarsky@gmail.com>
Signed-off-by: Isaac Milarsky <imilarsky@gmail.com>
Signed-off-by: Isaac Milarsky <imilarsky@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
augur/application/cli/backend.py
Outdated
| with open("/tmp/.git-credentials", "w") as f: | ||
| f.write(credential_file_text) | ||
|
|
||
| os.symlink("/tmp/.git-credentials", f"{repo_base_directory}/.git-credentials") |
Check warning
Code scanning / Bandit
Probable insecure usage of temp file/directory. Warning
| os.symlink("/tmp/.git-credentials", f"{repo_base_directory}/.git-credentials") | ||
|
|
||
| facade_credential_store = f"git config --global credential.helper \"store --file {repo_base_directory}/.git-credentials\"" | ||
| subprocess.Popen(facade_credential_store.split(" ")) |
Check notice
Code scanning / Bandit
subprocess call - check for execution of untrusted input. Note
Signed-off-by: Isaac Milarsky <imilarsky@gmail.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| import traceback | ||
| import requests | ||
| import tempfile | ||
| from redis.exceptions import ConnectionError as RedisConnectionError |
There was a problem hiding this comment.
[pylint] reported by reviewdog 🐶
W0611: Unused ConnectionError imported from redis.exceptions as RedisConnectionError (unused-import)
Signed-off-by: Isaac Milarsky <imilarsky@gmail.com>
|
Can you document the core reason for making this change in the PR as well? As far as i noticed recently, it seems like we are already writing this file. if we can use the timeout parameter to have git keep these credentials in memory (https://stackoverflow.com/a/35943882/), or some other, more robust secret storage method like GCM (https://stackoverflow.com/questions/36585496/error-when-using-git-credential-helper-with-gnome-keyring-as-sudo/40312117#40312117) that would be better than storing keys on disk IMO. If we need to have the augur instance hosts come up with a secret value (like other self hosted open source apps have) to use as the credential to unlock the secret store/decrypt credentials, that may help us be a little safer with how we handle git credentials |
2 participants
Description
Move credential storing logic to when augur is started instead of storing them on install.
Also, move the
.git-credentialsfile to a temporary file and symbolic link the file to the facade directory.This PR fixes #2928
Notes for Reviewers
Signed commits