[1/2] t5551: test that GIT_TRACE_CURL redacts password

Commit Message

Jonathan Tan May 11, 2020, 5:43 p.m. UTC

Verify that when GIT_TRACE_CURL is set, Git prints out "Authorization:
Basic <redacted>" instead of the base64-encoded authorization details.

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
---
 t/t5551-http-fetch-smart.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Jeff King May 12, 2020, 7:08 p.m. UTC | #1

On Mon, May 11, 2020 at 10:43:09AM -0700, Jonathan Tan wrote:

> Verify that when GIT_TRACE_CURL is set, Git prints out "Authorization:
> Basic <redacted>" instead of the base64-encoded authorization details.

Yeah, it's definitely worth testing this. The patch looks good to me.

-Peff

Patch

diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh
index 6788aeface..acc8473a72 100755
--- a/t/t5551-http-fetch-smart.sh
+++ b/t/t5551-http-fetch-smart.sh
@@ -185,6 +185,18 @@  test_expect_success 'redirects send auth to new location' '
 	expect_askpass both user@host auth/smart/repo.git
 '
 
+test_expect_success 'GIT_TRACE_CURL redacts auth details' '
+	rm -rf redact-auth trace &&
+	set_askpass user@host pass@host &&
+	GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
+	expect_askpass both user@host &&
+
+	# Ensure that there is no "Basic" followed by a base64 string, but that
+	# the auth details are redacted
+	! grep "Authorization: Basic [0-9a-zA-Z+/]" trace &&
+	grep "Authorization: Basic <redacted>" trace
+'
+
 test_expect_success 'disable dumb http on server' '
 	git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" \
 		config http.getanyfile false