From 52cd5dce3bd187a1cbc03e25c6071e1110d1ab56 Mon Sep 17 00:00:00 2001 From: Jason Gross Date: Sat, 12 Oct 2024 13:21:06 -0700 Subject: [PATCH] Don't leak the token in the error message --- src/git_utils.ml | 22 +++++++++++++--------- src/git_utils.mli | 2 +- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/src/git_utils.ml b/src/git_utils.ml index a3c49238..4b4d8753 100644 --- a/src/git_utils.ml +++ b/src/git_utils.ml @@ -11,8 +11,12 @@ let gitlab_repo ~bot_info ~gitlab_domain ~gitlab_full_name = |> Result.map ~f:(fun token -> f "https://oauth2:%s@%s/%s.git" token gitlab_domain gitlab_full_name ) -let report_status command report code = - Error (f {|Command "%s" %s %d\n|} command report code) +let report_status ?(mask = []) command report code = + Error + (List.fold_left + ~init:(f {|Command "%s" %s %d%s|} command report code "\n") + ~f:(fun acc m -> Str.global_replace (Str.regexp_string m) "XXXXX" acc) + mask) let gitlab_ref ~bot_info ~(issue : issue) ~github_mapping ~gitlab_mapping = let default_gitlab_domain = "gitlab.com" in @@ -82,7 +86,7 @@ let gitlab_ref ~bot_info ~(issue : issue) ~github_mapping ~gitlab_mapping = let ( |&& ) command1 command2 = command1 ^ " && " ^ command2 -let execute_cmd command = +let execute_cmd ?(mask = []) command = Lwt_io.printf "Executing command: %s\n" command >>= fun () -> Lwt_unix.system command @@ -90,11 +94,11 @@ let execute_cmd command = match status with | Unix.WEXITED code -> if Int.equal code 0 then Ok () - else report_status command "exited with status" code + else report_status ~mask command "exited with status" code | Unix.WSIGNALED signal -> - report_status command "was killed by signal number" signal + report_status ~mask command "was killed by signal number" signal | Unix.WSTOPPED signal -> - report_status command "was stopped by signal number" signal + report_status ~mask command "was stopped by signal number" signal let git_fetch ?(force = true) remote_ref local_branch_name = f "git fetch --quiet -fu %s %s%s:%s" remote_ref.repo_url @@ -166,7 +170,7 @@ let git_coq_bug_minimizer ~bot_info ~script ~comment_thread_id ~comment_author ; coq_version ; ocaml_version ; minimizer_extra_arguments |> String.concat ~sep:" " ] - |> execute_cmd + |> execute_cmd ~mask:[bot_info.github_pat] let git_run_ci_minimization ~bot_info ~comment_thread_id ~owner ~repo ~pr_number ~docker_image ~target ~opam_switch ~failing_urls ~passing_urls ~base ~head @@ -192,14 +196,14 @@ let git_run_ci_minimization ~bot_info ~comment_thread_id ~owner ~repo ~pr_number @ match bug_file_name with Some bug_file_name -> [bug_file_name] | None -> [] ) |> Stdlib.Filename.quote_command "./run_ci_minimization.sh" - |> execute_cmd + |> execute_cmd ~mask:[bot_info.github_pat] let init_git_bare_repository ~bot_info = let* () = Lwt_io.printl "Initializing repository..." in "git init --bare" |&& f {|git config user.email "%s"|} bot_info.email |&& f {|git config user.name "%s"|} bot_info.github_name - |> execute_cmd + |> execute_cmd ~mask:[bot_info.github_pat] >>= function | Ok _ -> Lwt_io.printl "Bare repository initialized." diff --git a/src/git_utils.mli b/src/git_utils.mli index 04334562..9c2f1d96 100644 --- a/src/git_utils.mli +++ b/src/git_utils.mli @@ -13,7 +13,7 @@ val gitlab_ref : val ( |&& ) : string -> string -> string -val execute_cmd : string -> (unit, string) result Lwt.t +val execute_cmd : ?mask:string list -> string -> (unit, string) result Lwt.t val git_fetch : ?force:bool -> Bot_components.GitHub_types.remote_ref_info -> string -> string