Skip to content

Strip userinfo from git-open remote URLs #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
graysurf merged 1 commit into from
Jan 22, 2026
Merged

Strip userinfo from git-open remote URLs #60

graysurf merged 1 commit into from
Jan 22, 2026

Conversation

@graysurf
Copy link
Owner

@graysurf graysurf commented Jan 22, 2026
edited
Loading

Strip userinfo from git-open remote URLs

Summary

Normalize remotes by stripping userinfo across ssh/http(s) and scp-style URLs and add tests to cover non-git users and credentialed HTTPS remotes.

Problem

  • Expected: git-normalize-remote-url should produce browser-safe https URLs without embedded credentials regardless of remote username.
  • Actual: non-git scp-style remotes (e.g., alice@github.com:org/repo.git) stay unnormalized and https remotes with userinfo keep credentials in the URL.
  • Impact: git-open can emit invalid URLs or leak credentials in terminal output.

Reproduction

  1. Set a remote such as git remote set-url origin alice@github.com:org/repo.git.
  2. Run git-normalize-remote-url origin.
  • Expected result: https://github.com/org/repo
  • Actual result: alice@github.com:org/repo

Issues Found

Severity: medium
Confidence: high
Status: open | fixed | deferred | needs-info

ID Severity Confidence Area Summary Evidence Status
PR-60-BUG-001 medium high scripts/git/git-open.zsh Remote normalization leaves userinfo or scp-style usernames in browser URLs scripts/git/git-open.zsh:53 fixed

Fix Approach

  • Strip userinfo from scheme URLs and normalize scp-style remotes for any user.
  • Add normalization tests for non-git users and credentialed https remotes.

Testing

  • zsh -f tests/git-open-normalize-remote-url.test.zsh (pass)

Risk / Notes

  • Userinfo is intentionally stripped from http(s) remotes to avoid credential leakage.

@graysurf graysurf force-pushed the fix/medium-git-open-strip-userinfo branch 2 times, most recently from 5f51cac to 50448a2 Compare January 22, 2026 10:16
@graysurf
fix(git-open): strip userinfo from remote normalization
ed5646b 
- Strip userinfo from ssh/http(s) remotes to avoid leaking credentials in URLs
- Normalize non-git scp-style remotes and add coverage for userinfo cases
@graysurf graysurf force-pushed the fix/medium-git-open-strip-userinfo branch from 50448a2 to ed5646b Compare January 22, 2026 10:31
@graysurf graysurf merged commit 38da358 into main Jan 22, 2026
3 checks passed
@graysurf graysurf deleted the fix/medium-git-open-strip-userinfo branch January 22, 2026 10:32
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@graysurf