Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure DevOps mounter #150

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Azure DevOps mounter #150

wants to merge 1 commit into from

Conversation

jaguasch
Copy link

GitMounter lacks the ability of mounting git repositories from Azure DevOps

I decided to create a new mounter, heavily inspired by the git one, to be able to mount Azure DevOps (aka Visual Studio Team Services) git repositories when they are specified as a target

format of the target URL should be:

https://DUMMY:<PAT_TOKEN>@dev.azure.com/<account>/<project>/_git/<repository>

It requires a Personal Access Token to be used as part of the target url, and having, at least, Code/Read capabilities against such repository, as specified in this link

sample of the tool mounting an Azure Devops repository and starting scanning the content:

/glue # ./bin/glue -t brakeman -f json  https://test:[email protected]/XXXXX/XXXXX/_git/XXXXX
Logfile nil?
calling scan
Running scanner
Loading scanner...
Mounting https://test:[email protected]/XXXXX/XXXXX/_git/XXXXX with #<Glue::AzDOMounter:0x00005572e7ac9090>
Cleaning directory: /root/glue/tmp/dev.azure.com/XXXXX/XXXXX/XXXXX
/root/glue/tmp/dev.azure.com/XXXXX/XXXXX/XXXXXis not a directory.
Mounted https://test:[email protected]/XXXXX/XXXXX/_git/XXXXX with #<Glue::AzDOMounter:0x00005572e7ac9090>
Processing target...https://test:[email protected]/XXXXX/XXXXX/_git/XXXXX
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file

Concern is having PAT tokens leaking on logs, so might be useful to redact that from the base mounters files.

Also, thinking on allowing PAT token to be a configuration option and use it for this mounter instead of using targets including tokens as part of the string

@jaguasch jaguasch mentioned this pull request Mar 13, 2019
Open
omerlh
omerlh requested changes Mar 14, 2019
View reviewed changes
Copy link
Collaborator

@omerlh omerlh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, please add some testing

lib/glue/mounters/azdo_mounter.rb
require 'glue/mounters/base_mounter'
require 'fileutils'

class Glue::AzDOMounter < Glue::BaseMounter
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe think on a more clear name? AzureGitMounter maybe?

lib/glue/mounters/azdo_mounter.rb
super(trigger)
@options = options
@name = "AzDO Git"
@description = "Pull a repo."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
@description = "Pull a repo."
@description = "Pull a repository from Azure DevOps"

lib/glue/mounters/azdo_mounter.rb
def mount target
base = @options[:working_dir]

Glue.debug "Making base."
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it stay here?

lib/glue/mounters/azdo_mounter.rb

# Grab the path used as git url, excluding PAT.
# format of this target must be https://DUMMY:<PAT_TOKEN>@dev.azure.com/<account>/<project>/_git/<repository>
protocol, azdo_domain, account, project, repository = target.match(/\A(.*\/\/).*@(.*)\/(.*)\/(.*)\/_git\/(.+?)[\/]{0,1}\z/i).captures
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe get these parameters separately and build the URL?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am thinking on maybe having PATTOKEN as a configuration parameter, as can be useful for something else (working on creating work items on Azure DevOps, like the ones for Jira, Pivotal...)

Parameters I extract from the match are for building the folder name used for temporary storage, but the target url should be ````https://dev.azure.com/../../_git/....```

So that way, you can just use the Git Url you can copy/paste from Azure DevOps

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh I see. Ok, so just move the PAT to paramter - which could also help in reducting it.

@jaguasch
Copy link
Author

Also, please add some testing

Where can I find tests for the other mounters?

@omerlh
Copy link
Collaborator

omerlh commented Mar 17, 2019

The test coverage is not amazing - look on different tests under the spec folder. Let's move to OWASP Slack (feel free to DM me) if you need some guidance on writing a new test.

@stale
Copy link

stale bot commented May 16, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label May 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omerlh omerlh omerlh requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaguasch @omerlh @joguas-MSFT