Is there a way to prevent git clone from leaking basic auth token?

Question

We're doing this in our automation that gets logged:

GIT_CLONE_URL_WITH_AUTH=${REPOSITORY_GIT_CLONE_HTTPS_URL//"https://"/$BASIC_AUTH}

git clone -q "$GIT_CLONE_URL_WITH_AUTH" "$GIT_CLONE_DIRECTORY"

We see this on error:

Cloning https://github.my-company.com/owner/repo...
fatal: unable to access 'https://x-access-token:v1.e3243f43f43575232e54a45f11fa4c81eaefd32e@github.my-company.com/owner/repo/': The requested URL returned error: 504

The only thing we came up with is using grep to hide the logging like so:

| grep -v -e "fatal: unable to access 'https://x-access-token:"

Kinda crappy that -quiet mode is leaking our basic auth.

Edit: This is the recommended way to use the git api as an installation of the github app. I use ssh for my day to day git operations...

https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation

Answer 1

You should avoid placing credentials in the URL. This writes them to disk and isn't secure. The Git developers explicitly recommend against this.

Instead, you can follow the approach outlined in the Git FAQ:

$ git config --global credential.helper \
    '!f() { echo username=author; echo "password=$GIT_TOKEN"; };f'

That will read the credential from the GIT_TOKEN environment variable and use the username author.

Or, if you'd like to run this in a script:

$ git config \
    -c credential.helper='!f() { echo username=author; echo "password=$GIT_TOKEN"; };f' \
    https://github.com/git/git.git

You'll obviously want to change the URL and the credentials.