Skip to content

Comments

Azure DevOps mounter#150

Open
jaguasch wants to merge 1 commit intoOWASP:masterfrom
jaguasch:azdomounter
Open

Azure DevOps mounter#150
jaguasch wants to merge 1 commit intoOWASP:masterfrom
jaguasch:azdomounter

Conversation

@jaguasch
Copy link

@jaguasch jaguasch commented Mar 13, 2019

GitMounter lacks the ability of mounting git repositories from Azure DevOps

I decided to create a new mounter, heavily inspired by the git one, to be able to mount Azure DevOps (aka Visual Studio Team Services) git repositories when they are specified as a target

format of the target URL should be:

https://DUMMY:<PAT_TOKEN>@dev.azure.com/<account>/<project>/_git/<repository>

It requires a Personal Access Token to be used as part of the target url, and having, at least, Code/Read capabilities against such repository, as specified in this link

sample of the tool mounting an Azure Devops repository and starting scanning the content:

/glue # ./bin/glue -t brakeman -f json  https://test:XXXXXXXXX@dev.azure.com/XXXXX/XXXXX/_git/XXXXX
Logfile nil?
calling scan
Running scanner
Loading scanner...
Mounting https://test:XXXXXXXXX@dev.azure.com/XXXXX/XXXXX/_git/XXXXX with #<Glue::AzDOMounter:0x00005572e7ac9090>
Cleaning directory: /root/glue/tmp/dev.azure.com/XXXXX/XXXXX/XXXXX
/root/glue/tmp/dev.azure.com/XXXXX/XXXXX/XXXXXis not a directory.
Mounted https://test:XXXXXXXXX@dev.azure.com/XXXXX/XXXXX/_git/XXXXX with #<Glue::AzDOMounter:0x00005572e7ac9090>
Processing target...https://test:XXXXXXXXX@dev.azure.com/XXXXX/XXXXX/_git/XXXXX
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file

Concern is having PAT tokens leaking on logs, so might be useful to redact that from the base mounters files.

Also, thinking on allowing PAT token to be a configuration option and use it for this mounter instead of using targets including tokens as part of the string

@jaguasch jaguasch mentioned this pull request Mar 13, 2019
Open
omerlh
omerlh requested changes Mar 14, 2019
View reviewed changes
Copy link
Collaborator

@omerlh omerlh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, please add some testing

lib/glue/mounters/azdo_mounter.rb
require 'glue/mounters/base_mounter'
require 'fileutils'

class Glue::AzDOMounter < Glue::BaseMounter
Copy link
Collaborator

@omerlh omerlh Mar 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe think on a more clear name? AzureGitMounter maybe?

lib/glue/mounters/azdo_mounter.rb
super(trigger)
@options = options
@name = "AzDO Git"
@description = "Pull a repo."
Copy link
Collaborator

@omerlh omerlh Mar 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
@description = "Pull a repo."
@description = "Pull a repository from Azure DevOps"

lib/glue/mounters/azdo_mounter.rb
def mount target
base = @options[:working_dir]

Glue.debug "Making base."
Copy link
Collaborator

@omerlh omerlh Mar 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it stay here?

lib/glue/mounters/azdo_mounter.rb

# Grab the path used as git url, excluding PAT.
# format of this target must be https://DUMMY:<PAT_TOKEN>@dev.azure.com/<account>/<project>/_git/<repository>
protocol, azdo_domain, account, project, repository = target.match(/\A(.*\/\/).*@(.*)\/(.*)\/(.*)\/_git\/(.+?)[\/]{0,1}\z/i).captures
Copy link
Collaborator

@omerlh omerlh Mar 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe get these parameters separately and build the URL?

Copy link
Author

@jaguasch jaguasch Mar 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am thinking on maybe having PATTOKEN as a configuration parameter, as can be useful for something else (working on creating work items on Azure DevOps, like the ones for Jira, Pivotal...)

Parameters I extract from the match are for building the folder name used for temporary storage, but the target url should be ````https://dev.azure.com/../../_git/....```

So that way, you can just use the Git Url you can copy/paste from Azure DevOps

Copy link
Collaborator

@omerlh omerlh Mar 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh I see. Ok, so just move the PAT to paramter - which could also help in reducting it.

@jaguasch
Copy link
Author

jaguasch commented Mar 14, 2019

Also, please add some testing

Where can I find tests for the other mounters?

@omerlh
Copy link
Collaborator

omerlh commented Mar 17, 2019

The test coverage is not amazing - look on different tests under the spec folder. Let's move to OWASP Slack (feel free to DM me) if you need some guidance on writing a new test.

@stale
Copy link

stale bot commented May 16, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label May 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@omerlh omerlh omerlh requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jaguasch @omerlh @joguas-MSFT