Re: Git ransom campaign incident report - May 2019
- Date: Fri, 17 May 2019 21:39:55 +0200 (DST)
- From: Johannes Schindelin <Johannes.Schindelin@xxxxxx>
- Subject: Re: Git ransom campaign incident report - May 2019
On Thu, 16 May 2019, Jeff King wrote:
> On Wed, May 15, 2019 at 08:59:47PM +0200, Ævar Arnfjörð Bjarmason wrote:
> > On Wed, May 15 2019, Martin Langhoff wrote:
> > > Spotted this on the internet...
> > >
> > > https://github.blog/2019-05-14-git-ransom-campaign-incident-report/
> > >
> > > Haven't hacked on git for a while, and I am not affiliated with any of
> > > the stakeholders. However, reading it, I wanted to slam my head on the
> > > desk.
> > >
> > > IIRC, git will sanely store a password elsewhere if it gets to prompt
> > > for it. Should we be trying to unpack usernames/passwords from HTTP
> > > urls, and DTRT with them?
> > >
> > > Are there other ways this could be made better?
> > I think we should do nothing.
> I think so, too.
> But just brainstorming, one thing we _could_ do is issue a warning when
> we see a password in a URL and say "hey, what you're doing isn't
> fantastic; considering using a credential helper".
> Of course I suspect there are many cases where people _do_ need to store
> the password in plaintext, because an automated system needs to fetch
> with it. They can use the plaintext git-credential-store, but it's
> slightly more hassle. And it doesn't really _solve_ the problem (though
> perhaps it would be harder to accidentally expose it with your web
One thing that we actually *could* do here is to anonymize the URLs stored
under remote.origin.url when cloning. In no other circumstance that I can
think of do we take an URL from some command-line parameter that is not
*explicitly* intended for storing in the config.
Combined with that warning "You cloned via a URL that contains
credentials; for security reasons, the credentials were scrubbed before
storing this in your Git config. Please consider using a credential
manager instead of storing secrets in your Git config." this should
provide a reasonable compromise.
Judging from looking at my own automated jobs, it does not appear that you
would *ever* need to store such credentials in the Git config, anyway. If
you need to, say, push to a repository, you can always store the full URL
(or the credentials) in a secret variable.