Do not expose pull mirror username and password

Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/230864 * Remove password value from the pull mirror form * Hide username from mirror url

Do not expose pull mirror username and password
Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/230864 * Remove password value from the pull mirror form * Hide username from mirror url
56a23cce · Vasilii Iakliushin · John T Skarbek · 1b32041f · 56a23cce · 56a23cce
Commit 56a23cce authored Apr 15, 2021 by Vasilii Iakliushin Committed by John T Skarbek Apr 28, 2021
4 changed files
--- a/app/views/projects/mirrors/_authentication_method.html.haml
+++ b/app/views/projects/mirrors/_authentication_method.html.haml
@@ -13,4 +13,4 @@
 .form-group
  .well-password-auth.collapse.js-well-password-auth
    = f.label :password, _("Password"), class: "label-bold"
-    = f.password_field :password, value: mirror.password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password'
+    = f.password_field :password, class: 'form-control gl-form-input qa-password', autocomplete: 'new-password'
--- a/ee/app/views/projects/mirrors/_mirror_repos_form.html.haml
+++ b/ee/app/views/projects/mirrors/_mirror_repos_form.html.haml
@@ -20,7 +20,7 @@

 %template.js-pull-mirrors-form
  = f.hidden_field :mirror, value: '1'
-  = f.hidden_field :username_only_import_url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+"
+  = f.hidden_field :username_only_import_url, class: 'js-mirror-url-hidden', required: true, pattern: "(#{protocols}):\/\/.+", value: ''
  = f.hidden_field :only_mirror_protected_branches, class: 'js-mirror-protected-hidden'

  = f.fields_for :import_data, import_data, include_id: false do |import_form|

--- a/ee/changelogs/unreleased/security-pull-mirror-token.yml
+++ b/ee/changelogs/unreleased/security-pull-mirror-token.yml
+---
+title: Do not expose pull mirror username and password
+merge_request:
+author:
+type: security
--- a/ee/spec/features/projects/settings/ee/repository_mirrors_settings_spec.rb
+++ b/ee/spec/features/projects/settings/ee/repository_mirrors_settings_spec.rb
@@ -50,10 +50,11 @@ RSpec.describe 'Project settings > [EE] repository' do

    context 'mirrored external repo', :js do
      let(:personal_access_token) { '461171575b95eeb61fba5face8ab838853d0121f' }
+      let(:password) { 'my-secret-pass' }
      let(:external_project) do
        create(:project_empty_repo,
               :mirror,
-               import_url: "https://#{personal_access_token}@github.com/testngalog2/newrepository.git")
+               import_url: "https://#{personal_access_token}:#{password}@github.com/testngalog2/newrepository.git")
      end

      before do
@@ -65,7 +66,14 @@ RSpec.describe 'Project settings > [EE] repository' do
        mirror_url = find('.mirror-url').text

        expect(mirror_url).not_to include(personal_access_token)
-        expect(mirror_url).to include('https://*****@github.com/')
+        expect(mirror_url).to include('https://*****:*****@github.com/')
+      end
+
+      it 'does not show password and personal access token on the page' do
+        page_content = page.body
+
+        expect(page_content).not_to include(password)
+        expect(page_content).not_to include(personal_access_token)
      end
    end