|
1 | 1 | import spawn from 'cross-spawn'; |
2 | | -import rp from 'request-promise'; |
3 | | -import { getURL } from './url'; |
| 2 | +import path from 'path'; |
| 3 | + |
| 4 | +// ─── 安全说明 ────────────────────────────────────────────────────────────────── |
| 5 | +// 旧版实现存在两个高危漏洞: |
| 6 | +// 1. 协议降级:将 git@host:path 改写为 http://host/path,使流量走明文 HTTP |
| 7 | +// 2. URL 内联凭证:将账号密码拼入 URL(http://user:pass@host), |
| 8 | +// 导致凭证出现在进程参数列表、日志、HTTPS 降级后的中间人可见流量中 |
| 9 | +// 修复方案: |
| 10 | +// - transformUrl 只允许 https:// / git@ 协议,拒绝 http:// |
| 11 | +// - 凭证通过 GIT_ASKPASS 环境变量传递,不再内联进 URL |
| 12 | +// ────────────────────────────────────────────────────────────────────────────── |
4 | 13 |
|
5 | | -let gitAccount: { |
6 | | - username: string; |
7 | | - password: string; |
8 | | -}; |
9 | 14 | let serverUrl: string; |
10 | 15 |
|
11 | 16 | export function setServerUrl(url: string) { |
12 | 17 | serverUrl = url; |
13 | 18 | } |
14 | 19 |
|
15 | 20 | function getHostname(url: string): string { |
16 | | - if (/https?/.test(url)) { |
| 21 | + if (/^https?:\/\//.test(url)) { |
17 | 22 | const [, , match = ''] = url.match(/^http(s)?:\/\/(.*?)\//) || []; |
18 | 23 | return match.split('@').pop() || ''; |
19 | 24 | } |
20 | 25 | const [, hostname = ''] = url.match(/@(.*):/) || []; |
21 | 26 | return hostname; |
22 | 27 | } |
23 | 28 |
|
24 | | -async function prepareAccount() { |
25 | | - if (gitAccount) { |
26 | | - return; |
27 | | - } |
28 | | - const url = getURL(serverUrl, 'apply/getlist?name=0'); |
29 | | - if (!url) { |
30 | | - return; |
| 29 | +/** |
| 30 | + * 安全地转换仓库 URL: |
| 31 | + * - 拒绝 http:// 协议(防止协议降级攻击) |
| 32 | + * - https:// 保持原样;git@ 在 SSH 不可用时转为 https:// |
| 33 | + * - 不再将凭证内联到 URL 中 |
| 34 | + * |
| 35 | + * @param url 原始仓库 URL(https:// 或 git@) |
| 36 | + * @returns 安全的仓库 URL(string) |
| 37 | + * @throws 若 URL 使用不允许的协议则抛出错误 |
| 38 | + */ |
| 39 | +export async function transformUrl(url: string): Promise<string> { |
| 40 | + // 拒绝裸 http:// 协议(含内联凭证形式 http://user:pass@host) |
| 41 | + if (/^http:\/\//.test(url)) { |
| 42 | + throw new Error(`Insecure repository URL rejected (http is not allowed, use https or git@): ${url}`); |
31 | 43 | } |
32 | | - const options = { |
33 | | - url, |
34 | | - method: 'GET', |
35 | | - }; |
36 | | - return rp(options) |
37 | | - .then((response: string) => { |
38 | | - const data = JSON.parse(response); |
39 | | - if (data.account) { |
40 | | - gitAccount = data.account; |
| 44 | + |
| 45 | + if (/^https:\/\//.test(url) || /^git@/.test(url)) { |
| 46 | + const hostname = getHostname(url); |
| 47 | + // 检测 SSH 可用性,超时 3s 回退到 https |
| 48 | + const sshOk = await isSupportSSH(`git@${hostname}`); |
| 49 | + if (sshOk) { |
| 50 | + // SSH 可用:https:// → git@host:path |
| 51 | + if (/^https:\/\//.test(url)) { |
| 52 | + return url.replace(/^https:\/\/([^/]+)\//, 'git@$1:'); |
41 | 53 | } |
42 | | - }) |
43 | | - .catch(() => {}); |
| 54 | + return url; |
| 55 | + } else { |
| 56 | + // SSH 不可用:git@ → https://,https:// 保持不变 |
| 57 | + if (/^git@/.test(url)) { |
| 58 | + return url.replace(/^git@([^:]+):/, 'https://$1/'); |
| 59 | + } |
| 60 | + return url; |
| 61 | + } |
| 62 | + } |
| 63 | + |
| 64 | + throw new Error(`Unsupported repository protocol: ${url}`); |
44 | 65 | } |
45 | 66 |
|
46 | | -export async function transformUrl(url: string, account?: any): Promise<any> { |
47 | | - if (account) { |
48 | | - gitAccount = account; |
49 | | - } else { |
50 | | - await prepareAccount(); |
51 | | - } |
52 | | - const hostname = getHostname(url); |
53 | | - let transformedUrl; |
54 | | - if (/https?/.test(url)) { |
55 | | - transformedUrl = url; |
56 | | - } else { |
57 | | - transformedUrl = url.replace(`git@${hostname}:`, `http://${hostname}/`); |
| 67 | +let _sshCache: Record<string, boolean> = {}; |
| 68 | + |
| 69 | +async function isSupportSSH(url: string): Promise<boolean> { |
| 70 | + if (_sshCache[url] !== undefined) { |
| 71 | + return _sshCache[url]; |
58 | 72 | } |
59 | | - if (gitAccount) { |
60 | | - const { username, password } = gitAccount; |
61 | | - return transformedUrl.replace(/https?:\/\/(.*?(:.*?)?@)?/, `http://${username}:${password}@`); |
| 73 | + try { |
| 74 | + const result = await Promise.race([ |
| 75 | + Promise.resolve(spawn.sync('ssh', ['-vT', url], { windowsHide: true })), |
| 76 | + new Promise<never>((_, reject) => setTimeout(() => reject(new Error('timeout')), 3000)), |
| 77 | + ]) as ReturnType<typeof spawn.sync>; |
| 78 | + const ok = /Authentication succeeded/.test(result?.stderr?.toString() ?? ''); |
| 79 | + _sshCache[url] = ok; |
| 80 | + return ok; |
| 81 | + } catch { |
| 82 | + _sshCache[url] = false; |
| 83 | + return false; |
62 | 84 | } |
63 | | - return transformedUrl; |
64 | 85 | } |
65 | 86 |
|
66 | | -export async function clearGitCert(url: string) { |
67 | | - const { username } = gitAccount; |
68 | | - if (!username) { |
69 | | - return; |
| 87 | +/** |
| 88 | + * 构建安全的 Git 环境变量: |
| 89 | + * 通过 GIT_ASKPASS 脚本传递凭证,不将账号密码内联到 URL 或暴露在命令行参数中。 |
| 90 | + * |
| 91 | + * @param account 可选账号信息 { username, password } |
| 92 | + * @returns 含 GIT_ASKPASS 的环境变量对象 |
| 93 | + */ |
| 94 | +export function buildGitEnv(account?: { username: string; password: string }): NodeJS.ProcessEnv { |
| 95 | + if (!account) { |
| 96 | + return process.env; |
70 | 97 | } |
71 | | - let finalUrl = ''; |
72 | | - if (!/https?:\/\/(.*?(:.*?)?@)/.test(url)) { |
73 | | - finalUrl = await transformUrl(url); |
74 | | - } |
75 | | - return new Promise((resolve, reject) => { |
76 | | - const child = spawn('git', ['credential', 'reject'], { |
77 | | - windowsHide: true, |
78 | | - timeout: 60 * 1000, |
79 | | - }); |
80 | | - child.stdin?.write(`url=${finalUrl}`); |
81 | | - child.stdin?.end(); |
82 | | - child.on('close', (code) => { |
83 | | - resolve(code); |
84 | | - }); |
85 | | - child.on('error', (err) => { |
86 | | - reject(err); |
87 | | - }); |
88 | | - }); |
| 98 | + return { |
| 99 | + ...process.env, |
| 100 | + GIT_TERMINAL_PROMPT: '0', |
| 101 | + GIT_ASKPASS: path.join(__dirname, 'git-askpass.sh'), |
| 102 | + FEFLOW_GIT_USERNAME: account.username, |
| 103 | + FEFLOW_GIT_PASSWORD: account.password, |
| 104 | + }; |
89 | 105 | } |
90 | 106 |
|
91 | | -export async function clearGitCertByPath(repoPath: string) { |
92 | | - const ret = spawn.sync('git', ['config', '--get', 'remote.origin.url'], { |
93 | | - windowsHide: true, |
94 | | - cwd: repoPath, |
95 | | - }); |
96 | | - const url = ret?.stdout?.toString().trim(); |
97 | | - return clearGitCert(url); |
| 107 | +/** |
| 108 | + * 清除 git credential 缓存(使用 git credential reject)。 |
| 109 | + * 修复后凭证不再内联进 URL,此函数仅在 url 包含凭证时有操作意义, |
| 110 | + * 新流程下可直接返回。 |
| 111 | + */ |
| 112 | +export async function clearGitCert(_url: string): Promise<void> { |
| 113 | + // 新流程凭证通过 GIT_ASKPASS 传递,不内联进 URL,无需 credential reject |
| 114 | + return; |
98 | 115 | } |
99 | 116 |
|
100 | | -export async function download(url: string, tag: string, filepath: string): Promise<any> { |
| 117 | +export async function clearGitCertByPath(_repoPath: string): Promise<void> { |
| 118 | + return; |
| 119 | +} |
| 120 | + |
| 121 | +/** |
| 122 | + * 安全下载仓库:URL 不含凭证,凭证通过环境变量传递。 |
| 123 | + * |
| 124 | + * @param url 原始仓库 URL |
| 125 | + * @param tag 要 checkout 的 tag |
| 126 | + * @param filepath 本地目标路径 |
| 127 | + * @param account 可选 Git 账号 |
| 128 | + */ |
| 129 | +export async function download( |
| 130 | + url: string, |
| 131 | + tag: string, |
| 132 | + filepath: string, |
| 133 | + account?: { username: string; password: string } |
| 134 | +): Promise<void> { |
101 | 135 | const cloneUrl = await transformUrl(url); |
| 136 | + const env = buildGitEnv(account); |
102 | 137 |
|
103 | 138 | console.log('clone from', url); |
104 | 139 | return new Promise((resolve, reject) => { |
105 | | - const child = spawn('git', ['clone', '-b', tag, '--progress', '--depth', '1', cloneUrl, filepath], { |
106 | | - stdio: 'pipe', |
107 | | - windowsHide: true, |
108 | | - }); |
| 140 | + const child = spawn( |
| 141 | + 'git', |
| 142 | + ['clone', '-b', tag, '--progress', '--depth', '1', cloneUrl, filepath], |
| 143 | + { stdio: 'pipe', windowsHide: true, env } |
| 144 | + ); |
109 | 145 | let doneFlag = false; |
110 | 146 | child.stderr?.on('data', (d) => { |
111 | | - if (doneFlag) { |
112 | | - return; |
113 | | - } |
| 147 | + if (doneFlag) return; |
114 | 148 | if (d?.toString()?.startsWith('Note:') || d?.toString()?.startsWith('注意')) { |
115 | 149 | doneFlag = true; |
116 | 150 | return; |
117 | 151 | } |
118 | 152 | process.stderr.write(d); |
119 | 153 | }); |
120 | 154 | child.stdout?.on('data', (d) => { |
121 | | - if (doneFlag) { |
122 | | - return; |
123 | | - } |
| 155 | + if (doneFlag) return; |
124 | 156 | process.stdout.write(d); |
125 | 157 | }); |
126 | 158 | child.on('close', (code) => { |
127 | | - if (code === 0) { |
128 | | - resolve(0); |
129 | | - } else { |
130 | | - reject(code); |
131 | | - } |
132 | | - }); |
133 | | - child.on('error', (err) => { |
134 | | - reject(err); |
| 159 | + if (code === 0) resolve(); |
| 160 | + else reject(code); |
135 | 161 | }); |
136 | | - }) |
137 | | - // eslint-disable-next-line @typescript-eslint/no-misused-promises |
138 | | - .finally(() => clearGitCert(cloneUrl)); |
| 162 | + child.on('error', reject); |
| 163 | + }); |
139 | 164 | } |
0 commit comments