fix(cli): sanitize remote url (#729)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

internal/attestation/crafter/crafter.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
@@ -340,15 +341,37 @@ func gracefulGitRepoHead(path string) (*HeadCommit, error) {
 			continue
 		}
 
+		remoteURI, err := sanitizeRemoteURL(r.Config().URLs[0])
+		if err != nil {
+			return nil, fmt.Errorf("sanitizing remote url: %w", err)
+		}
+
 		c.Remotes = append(c.Remotes, &CommitRemote{
 			Name: r.Config().Name,
-			URL:  r.Config().URLs[0],
+			URL:  remoteURI,
 		})
 	}
 
 	return c, nil
 }
 
+// Clear any basic auth credentials from the remote URL
+func sanitizeRemoteURL(remoteURL string) (string, error) {
+	uri, err := url.Parse(remoteURL)
+	if err != nil {
+		// check if it's a valid git@ url
+		if strings.HasPrefix(remoteURL, "git@") {
+			return remoteURL, nil
+		}
+
+		return "", fmt.Errorf("parsing remote url: %w", err)
+	}
+
+	// clear basic auth credentials
+	uri.User = nil
+	return uri.String(), nil
+}
+
 func initialCraftingState(cwd string, schema *schemaapi.CraftingSchema, wf *api.WorkflowMetadata, dryRun bool, runnerType schemaapi.CraftingSchema_Runner_RunnerType, jobURL string) (*api.CraftingState, error) {
 	// Get git commit hash
 	headCommit, err := gracefulGitRepoHead(cwd)

internal/attestation/crafter/crafter_unit_test.go

@@ -34,6 +34,49 @@ type crafterUnitSuite struct {
 	suite.Suite
 }
 
+func (s *crafterUnitSuite) TestSanitizeRemoteURI() {
+	testCases := []struct {
+		name    string
+		uri     string
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "ssh",
+			uri:  "[email protected]:skynet.git",
+			want: "[email protected]:skynet.git",
+		},
+		{
+			name: "https",
+			uri:  "https://cyberdyne.com/skynet.git",
+			want: "https://cyberdyne.com/skynet.git",
+		},
+		{
+			name: "https with user",
+			uri:  "https://demo-user:[email protected]/skynet.git",
+			want: "https://cyberdyne.com/skynet.git",
+		},
+		{
+			name:    "invalid uri",
+			uri:     "https://demo-user@pass:cyberdyne.com/skynet.git",
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		s.Run(tc.name, func() {
+			got, err := sanitizeRemoteURL(tc.uri)
+			if tc.wantErr {
+				s.Error(err)
+				return
+			}
+
+			require.NoError(s.T(), err)
+			s.Equal(tc.want, got)
+		})
+	}
+}
+
 func (s *crafterUnitSuite) TestGitRepoHead() {
 	initRepo := func(withCommit bool) func(string) (*HeadCommit, error) {
 		return func(repoPath string) (*HeadCommit, error) {