From 1bf97c395d55b175a4db8f84ee5de2795157cb7c Mon Sep 17 00:00:00 2001 From: Christophe de Vienne Date: Tue, 9 Apr 2024 18:44:08 +0200 Subject: [PATCH] hg: fix cacheID construction The repo URL must be in the cache id. The ref is purposely not included in it because we want to reuse the cached repository when the ref moves. And finally, we use a sha256 hash to mask any authentication data because we don't want them to be readable in the cache folder name. Signed-off-by: Christophe de Vienne --- pkg/vendir/fetch/hg/hg.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/pkg/vendir/fetch/hg/hg.go b/pkg/vendir/fetch/hg/hg.go index df035cff..73953175 100644 --- a/pkg/vendir/fetch/hg/hg.go +++ b/pkg/vendir/fetch/hg/hg.go @@ -5,6 +5,8 @@ package hg import ( "bytes" + "crypto/sha256" + "encoding/hex" "fmt" "io" "net/url" @@ -126,6 +128,8 @@ func (t *Hg) setup(tempArea ctlfetch.TempArea) error { return fmt.Errorf("Expected non-empty URL") } + cacheID := t.opts.URL + authOpts, err := t.getAuthOpts() if err != nil { return err @@ -178,7 +182,7 @@ hgauth.password = %s } sshCmd = append(sshCmd, "-i", path, "-o", "IdentitiesOnly=yes") - t.cacheID += "private-key=" + *authOpts.PrivateKey + "|" + cacheID += "private-key=" + *authOpts.PrivateKey + "|" } if authOpts.KnownHosts != nil { @@ -190,7 +194,7 @@ hgauth.password = %s } sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=yes", "-o", "UserKnownHostsFile="+path) - t.cacheID += "known-hosts=" + *authOpts.KnownHosts + "|" + cacheID += "known-hosts=" + *authOpts.KnownHosts + "|" } else { sshCmd = append(sshCmd, "-o", "StrictHostKeyChecking=no") } @@ -205,9 +209,12 @@ hgauth.password = %s return fmt.Errorf("Writing %s: %s", hgRcPath, err) } t.env = append(t.env, "HGRCPATH="+hgRcPath) - t.cacheID += hgRc + cacheID += hgRc } + sha := sha256.Sum256([]byte(cacheID)) + t.cacheID = hex.EncodeToString(sha[:]) + return nil }