Remove Git remote origin after cloning sources

keuko · keuko · commit 405f95019354 · 2025-02-19T23:43:19.000+01:00
When kolla is cloning a Git repository during the build
process, the `.git/config` file retains the remote
origin URL, which may expose sensitive credentials if
authentication tokens are embedded in the URL.

This fix ensures that the remote is removed after cloning
to prevent unintended exposure of credentials.

Closes-Bug: #2098904
Change-Id: Iec21fc2363e03133ec77326da7392bc25b40132a
diff --git a/kolla/image/tasks.py b/kolla/image/tasks.py
@@ -232,6 +232,7 @@ def reset_userinfo(tarinfo):
                 git.Git().clone(source['source'], clone_dir)
                 git.Git(clone_dir).checkout(source['reference'])
                 reference_sha = git.Git(clone_dir).rev_parse('HEAD')
+                git.Git(clone_dir).remote("remove", "origin")
                 self.logger.debug("Git checkout by reference %s (%s)",
                                   source['reference'], reference_sha)
             except Exception as e:
diff --git a/releasenotes/notes/bug-2098904-4c5670049a7e1a66.yaml b/releasenotes/notes/bug-2098904-4c5670049a7e1a66.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Removes Git remote URLs after cloning to prevent credential exposure.
+    `LP#2098904 <https://bugs.launchpad.net/kolla/+bug/2098904>`__

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +fixes:
 +  - |
 +    Removes Git remote URLs after cloning to prevent credential exposure.
 +    `LP#2098904 <https://bugs.launchpad.net/kolla/+bug/2098904>`__