|
| 1 | +From 5d6079f8ad16f553cdaea1d56fedcb4a3a1db082 Mon Sep 17 00:00:00 2001 |
| 2 | +From: William Martin < [email protected]> |
| 3 | +Date: Thu, 31 Oct 2024 14:07:48 +0100 |
| 4 | +Subject: [PATCH] Fix token exposure for non-gh hosts in codespaces |
| 5 | + |
| 6 | +This commit introduces a fix for `GITHUB_TOKEN` being exposed to non-github hosts while in a codespace. We no longer return the `GITHUB_TOKEN` for any host except github.com and github.localhost while in a codespace (while the env var `CODESPACES` is `true`). |
| 7 | + |
| 8 | +This commit also changes how tokens are returned when no oAuth token is found in a config. Previously, an empty string and the `oauthToken` source was returned. Now, we return an empty string and the `defaultSource` source. The intention behind this change is to make more logical sense by not returning an `oauthToken` source when we didn't get any token. It's also worth mentioning that this change also improves our test coverage - all lines in `tokenForHost` are now covered by tests, and we don't have unreachable code. |
| 9 | + |
| 10 | +Co-authored-by: Kynan Ware < [email protected]> |
| 11 | + |
| 12 | +Modified patch to apply to AzureLinux |
| 13 | +Modified-by: Sandeep Karambelkar < [email protected]> |
| 14 | +--- |
| 15 | + pkg/auth/auth.go | 27 ++++++++---- |
| 16 | + 1 file changed, 91 insertions(+), 33 deletions(-) |
| 17 | + |
| 18 | +diff --git a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go |
| 19 | +index a903736..4378e75 100644 |
| 20 | +--- a/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go |
| 21 | ++++ b/vendor/github.com/cli/go-gh/v2/pkg/auth/auth.go |
| 22 | +@@ -63,6 +63,15 @@ func TokenFromEnvOrConfig(host string) (string, string) { |
| 23 | + |
| 24 | + func tokenForHost(cfg *config.Config, host string) (string, string) { |
| 25 | + host = NormalizeHostname(host) |
| 26 | ++ |
| 27 | ++ if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces { |
| 28 | ++ if host == github || host == localhost { |
| 29 | ++ if token := os.Getenv(githubToken); token != "" { |
| 30 | ++ return token, githubToken |
| 31 | ++ } |
| 32 | ++ } |
| 33 | ++ } |
| 34 | ++ |
| 35 | + if IsEnterprise(host) { |
| 36 | + if token := os.Getenv(ghEnterpriseToken); token != "" { |
| 37 | + return token, ghEnterpriseToken |
| 38 | +@@ -70,25 +79,25 @@ func tokenForHost(cfg *config.Config, host string) (string, string) { |
| 39 | + if token := os.Getenv(githubEnterpriseToken); token != "" { |
| 40 | + return token, githubEnterpriseToken |
| 41 | + } |
| 42 | +- if isCodespaces, _ := strconv.ParseBool(os.Getenv(codespaces)); isCodespaces { |
| 43 | +- if token := os.Getenv(githubToken); token != "" { |
| 44 | +- return token, githubToken |
| 45 | +- } |
| 46 | +- } |
| 47 | + if cfg != nil { |
| 48 | +- token, _ := cfg.Get([]string{hostsKey, host, oauthToken}) |
| 49 | +- return token, oauthToken |
| 50 | ++ if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" { |
| 51 | ++ return token, oauthToken |
| 52 | ++ } |
| 53 | + } |
| 54 | ++ return "", defaultSource |
| 55 | + } |
| 56 | ++ |
| 57 | + if token := os.Getenv(ghToken); token != "" { |
| 58 | + return token, ghToken |
| 59 | + } |
| 60 | + if token := os.Getenv(githubToken); token != "" { |
| 61 | + return token, githubToken |
| 62 | + } |
| 63 | ++ |
| 64 | + if cfg != nil { |
| 65 | +- token, _ := cfg.Get([]string{hostsKey, host, oauthToken}) |
| 66 | +- return token, oauthToken |
| 67 | ++ if token, _ := cfg.Get([]string{hostsKey, host, oauthToken}); token != "" { |
| 68 | ++ return token, oauthToken |
| 69 | ++ } |
| 70 | + } |
| 71 | + return "", defaultSource |
| 72 | + } |
0 commit comments