⚠️ [Security]: Mask sensitive data from git config --list (#259)

MariusStorhaug · web-flow · commit eca70d003e68 · 2025-01-13T16:32:33.000+01:00
## Description This pull request involves significant updates to the `Get-GitHubGitConfig.ps1` script to enhance its functionality and improve code readability. The most important changes include adding a parameter for specifying the scope of the git configuration, improving error messages, and updating the way git configuration data is processed and returned. Enhancements to functionality: * [`src/functions/public/Git/Get-GitHubGitConfig.ps1`](diffhunk://#diff-dfb306c31ba449aae53bfc9d39801cb64924641ebf9f953e6eed74a02877ee40L16-R20): Added a new parameter `$Scope` with validation to allow specifying 'local', 'global', or 'system' scope for the git configuration. Improvements to code readability: * [`src/functions/public/Git/Get-GitHubGitConfig.ps1`](diffhunk://#diff-dfb306c31ba449aae53bfc9d39801cb64924641ebf9f953e6eed74a02877ee40L29-R33): Changed verbose message to use single quotes for consistency. Updates to data processing: * [`src/functions/public/Git/Get-GitHubGitConfig.ps1`](diffhunk://#diff-dfb306c31ba449aae53bfc9d39801cb64924641ebf9f953e6eed74a02877ee40L43-R63): Replaced the old method of processing git configuration data with a more efficient approach using `ConvertFrom-StringData` and a hashtable to store and return the results. This change also includes masking sensitive information found in the configuration. ## Type of change  - [ ] 📖 [Docs] - [ ] 🪲 [Fix] - [x] 🩹 [Patch] - [x] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist  - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas
diff --git a/src/functions/public/Git/Get-GitHubGitConfig.ps1 b/src/functions/public/Git/Get-GitHubGitConfig.ps1
@@ -13,7 +13,11 @@
     #>
     [OutputType([pscustomobject])]
     [CmdletBinding()]
-    param()
+    param(
+        [Parameter()]
+        [ValidateSet('local', 'global', 'system')]
+        [string] $Scope = 'local'
+    )
 
     begin {
         $stackPath = Get-PSCallStackPath
@@ -26,7 +30,7 @@
             $gitExists = Get-Command -Name 'git' -ErrorAction SilentlyContinue
             Write-Debug "GITEXISTS: $gitExists"
             if (-not $gitExists) {
-                Write-Verbose "Git is not installed. Cannot get git configuration."
+                Write-Verbose 'Git is not installed. Cannot get git configuration.'
                 return
             }
 
@@ -40,14 +44,23 @@
                 return
             }
 
-            git config --local --list | ForEach-Object {
-                (
-                    [pscustomobject]@{
-                        Name  = $_.Split('=')[0]
-                        Value = $_.Split('=')[1]
-                    }
-                )
+            $config = @{}
+            git config --$Scope --list | ConvertFrom-StringData | ForEach-Object {
+                $config += $_
             }
+            $result = @{}
+            $config.GetEnumerator() | ForEach-Object {
+                $name = $_.Key
+                $value = $_.Value
+                if ($value -match '(?i)AUTHORIZATION:\s*(?<scheme>[^\s]+)\s+(?<token>.*)') {
+                    $secret = $matches['token']
+                    Add-GitHubMask -Value $secret
+                }
+                $result += @{
+                    $name = $value
+                }
+            }
+            [pscustomobject]$result
         } catch {
             throw $_
         }
diff --git a/tests/GitHub.Tests.ps1 b/tests/GitHub.Tests.ps1
@@ -769,10 +769,26 @@ Describe 'As GitHub Actions (GHA)' {
         }
     }
     Context 'Git' {
+        It "Get-GitHubGitConfig gets the 'local' (default) Git configuration (GHA)" {
+            $gitConfig = Get-GitHubGitConfig
+            Write-Verbose ($gitConfig | Format-List | Out-String) -Verbose
+            $gitConfig | Should -Not -BeNullOrEmpty
+        }
+        It "Get-GitHubGitConfig gets the 'global' Git configuration (GHA)" {
+            git config --global advice.pushfetchfirst false
+            $gitConfig = Get-GitHubGitConfig -Scope 'global'
+            Write-Verbose ($gitConfig | Format-List | Out-String) -Verbose
+            $gitConfig | Should -Not -BeNullOrEmpty
+        }
+        It "Get-GitHubGitConfig gets the 'system' Git configuration (GHA)" {
+            $gitConfig = Get-GitHubGitConfig -Scope 'system'
+            Write-Verbose ($gitConfig | Format-List | Out-String) -Verbose
+            $gitConfig | Should -Not -BeNullOrEmpty
+        }
         It 'Set-GitHubGitConfig sets the Git configuration (GHA)' {
             { Set-GitHubGitConfig } | Should -Not -Throw
             $gitConfig = Get-GitHubGitConfig
-            Write-Verbose ($gitConfig | Format-Table | Out-String) -Verbose
+            Write-Verbose ($gitConfig | Format-List | Out-String) -Verbose
 
             $gitConfig | Should -Not -BeNullOrEmpty
             $gitConfig.'user.name' | Should -Not -BeNullOrEmpty
