From de8fdf7ab438cc360df8d249dee0b13900f3c59c Mon Sep 17 00:00:00 2001 From: Christophe de Vienne Date: Tue, 9 Apr 2024 18:44:08 +0200 Subject: [PATCH] hg: fix cacheID construction The repo URL must be in the cache id. The ref is purposely not included in it because we want to reuse the cached repository when the ref moves. And finally, we use a sha256 hash to mask any authentication data because we don't want them to be readable in the cache folder name. --- pkg/vendir/fetch/hg/hg.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/pkg/vendir/fetch/hg/hg.go b/pkg/vendir/fetch/hg/hg.go index df035cff..73953175 100644 --- a/pkg/vendir/fetch/hg/hg.go +++ b/pkg/vendir/fetch/hg/hg.go @@ -5,6 +5,8 @@ package hg import ( "bytes" + "crypto/sha256" + "encoding/hex" "fmt" "io" "net/url" @@ -126,6 +128,8 @@ func (t *Hg) setup(tempArea ctlfetch.TempArea) error { return fmt.Errorf("Expected non-empty URL") } + cacheID := t.opts.URL + authOpts, err := t.getAuthOpts() if err != nil { return err @@ -178,7 +182,7 @@ hgauth.password = %s } sshCmd = append(sshCmd, "-i", path, "-o", "IdentitiesOnly=yes") - t.cacheID += "private-key=" + *authOpts.PrivateKey + "|" + cacheID += "private-key=" + *authOpts.PrivateKey + "|" } if authOpts.KnownHosts != nil { @@ -190,7 +194,7 @@ hgauth.password = %s } sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=yes", "-o", "UserKnownHostsFile="+path) - t.cacheID += "known-hosts=" + *authOpts.KnownHosts + "|" + cacheID += "known-hosts=" + *authOpts.KnownHosts + "|" } else { sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=no") } @@ -205,9 +209,12 @@ hgauth.password = %s return fmt.Errorf("Writing %s: %s", hgRcPath, err) } t.env = append(t.env, "HGRCPATH="+hgRcPath) - t.cacheID += hgRc + cacheID += hgRc } + sha := sha256.Sum256([]byte(cacheID)) + t.cacheID = hex.EncodeToString(sha[:]) + return nil }