abhijeets25012-tech opened a new pull request, #64103: URL: https://github.com/apache/airflow/pull/64103
### Problem Currently, GitHook embeds credentials (username/token) directly in the repository URL for HTTP(S) connections. This can cause sensitive information to be exposed in DAG parsing, logs, or `.git/config`. ### Solution - Removed embedding credentials in the URL. - Added secure token-based authentication using GIT_ASKPASS. - Disabled interactive prompts with GIT_TERMINAL_PROMPT=0. - Preserved SSH support for git@ URLs and local paths. - Fully backward-compatible; does not affect existing SSH workflows. ### Security Impact - Prevents cleartext credentials from being persisted in Git configuration. - Ensures DAG authors cannot accidentally exfiltrate tokens during parsing. ### Testing - Verified repo URLs with/without tokens. - Confirmed SSH keys and GIT_ASKPASS work as expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
