RepositoryUrl may contain username and password

[sbj42]

In a CI job, the git remote URL may contain sensitive information such as a username and password. For instance GitLab Runner jobs store a username gitlab-ci-token with a generated password for that job. GitInfo stores the remote URL in its RepositoryUrl field, and so that "token" password is leaked in the build output.

Steps to reproduce:

You can run the following command on any GitInfo-using project and check out the RepositoryUrl to see that the password is still stored:

git remote set-url origin https://jdoe:[email protected]/example.git

For a complete example:

1. Clone https://github.com/sbj42/GitInfo-password-issue.git
2. Set the remote url with this command: git remote set-url origin https://jdoe:[email protected]/example.git
3. Open the solution in Visual Studio, build it, and run the resulting executable.

Expected results:

The output should not print the username and password portions of the remote URL.

The RepositoryUrl (which the program will print) should be https://example.com/example.git.

Actual results:

The program prints:

Hello World! https://jdoe:[email protected]/example.git

Recommendation

I don't know msbuild very well, but from browsing GitInfo.targets it looks like you can use regular expressions. So a possible solution would be to transform the RepositoryUrl with a regexp, replacing ://[^/]*@ with ://.