Fossil SCM
Add the "scrub" command to remove passwords and other sensitive information from a repository. Ticket [e5232878345].
Commit
6c6a978a537be7efa48b32d52bb282611c54a8bb
Parent
eb1db585a5b6250…
1 file changed
+61
+61
| --- src/rebuild.c | ||
| +++ src/rebuild.c | ||
| @@ -337,5 +337,66 @@ | ||
| 337 | 337 | "UPDATE config SET value='detached-' || value" |
| 338 | 338 | " WHERE name='project-name' AND value NOT GLOB 'detached-*';" |
| 339 | 339 | ); |
| 340 | 340 | db_end_transaction(0); |
| 341 | 341 | } |
| 342 | + | |
| 343 | +/* | |
| 344 | +** COMMAND: scrub | |
| 345 | +** %fossil scrub [--verily] [--force] [REPOSITORY] | |
| 346 | +** | |
| 347 | +** The command removes sensitive information (such as passwords) from a | |
| 348 | +** repository so that the respository can be sent to an untrusted reader. | |
| 349 | +** | |
| 350 | +** By default, only passwords are removed. However, if the --verily option | |
| 351 | +** is added, then private branches, concealed email addresses, IP | |
| 352 | +** addresses of correspondents, and similar privacy-sensitive fields | |
| 353 | +** are also purged. | |
| 354 | +** | |
| 355 | +** This command permanently deletes the scrubbed information. The effects | |
| 356 | +** of this command are irreversible. Use with caution. | |
| 357 | +** | |
| 358 | +** The user is prompted to confirm the scrub unless the --force option | |
| 359 | +** is used. | |
| 360 | +*/ | |
| 361 | +void scrub_cmd(void){ | |
| 362 | + int bVerily = find_option("verily",0,0)!=0; | |
| 363 | + int bForce = find_option("force", "f", 0)!=0; | |
| 364 | + int bNeedRebuild = 0; | |
| 365 | + if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?"); | |
| 366 | + if( g.argc==2 ){ | |
| 367 | + db_must_be_within_tree(); | |
| 368 | + }else{ | |
| 369 | + db_open_repository(g.argv[2]); | |
| 370 | + } | |
| 371 | + if( !bForce ){ | |
| 372 | + Blob ans; | |
| 373 | + blob_zero(&ans); | |
| 374 | + prompt_user("Scrubbing the repository will permanently remove user\n" | |
| 375 | + "passwords and other information. Changes cannot be undone.\n" | |
| 376 | + "Continue [y/N]? ", &ans); | |
| 377 | + if( blob_str(&ans)[0]!='y' ){ | |
| 378 | + exit(1); | |
| 379 | + } | |
| 380 | + } | |
| 381 | + db_begin_transaction(); | |
| 382 | + db_multi_exec( | |
| 383 | + "UPDATE user SET pw='';" | |
| 384 | + "DELETE FROM config WHERE name='last-sync-url';" | |
| 385 | + ); | |
| 386 | + if( bVerily ){ | |
| 387 | + bNeedRebuild = db_exists("SELECT 1 FROM private"); | |
| 388 | + db_multi_exec( | |
| 389 | + "DELETE FROM concealed;" | |
| 390 | + "UPDATE rcvfrom SET ipaddr='unknown';" | |
| 391 | + "UPDATE user SET photo=NULL, info='';" | |
| 392 | + "INSERT INTO shun SELECT uuid FROM blob WHERE rid IN private;" | |
| 393 | + ); | |
| 394 | + } | |
| 395 | + if( !bNeedRebuild ){ | |
| 396 | + db_end_transaction(0); | |
| 397 | + db_multi_exec("VACUUM;"); | |
| 398 | + }else{ | |
| 399 | + rebuild_db(0, 1); | |
| 400 | + db_end_transaction(0); | |
| 401 | + } | |
| 402 | +} | |
| 342 | 403 |
| --- src/rebuild.c | |
| +++ src/rebuild.c | |
| @@ -337,5 +337,66 @@ | |
| 337 | "UPDATE config SET value='detached-' || value" |
| 338 | " WHERE name='project-name' AND value NOT GLOB 'detached-*';" |
| 339 | ); |
| 340 | db_end_transaction(0); |
| 341 | } |
| 342 |
| --- src/rebuild.c | |
| +++ src/rebuild.c | |
| @@ -337,5 +337,66 @@ | |
| 337 | "UPDATE config SET value='detached-' || value" |
| 338 | " WHERE name='project-name' AND value NOT GLOB 'detached-*';" |
| 339 | ); |
| 340 | db_end_transaction(0); |
| 341 | } |
| 342 | |
| 343 | /* |
| 344 | ** COMMAND: scrub |
| 345 | ** %fossil scrub [--verily] [--force] [REPOSITORY] |
| 346 | ** |
| 347 | ** The command removes sensitive information (such as passwords) from a |
| 348 | ** repository so that the respository can be sent to an untrusted reader. |
| 349 | ** |
| 350 | ** By default, only passwords are removed. However, if the --verily option |
| 351 | ** is added, then private branches, concealed email addresses, IP |
| 352 | ** addresses of correspondents, and similar privacy-sensitive fields |
| 353 | ** are also purged. |
| 354 | ** |
| 355 | ** This command permanently deletes the scrubbed information. The effects |
| 356 | ** of this command are irreversible. Use with caution. |
| 357 | ** |
| 358 | ** The user is prompted to confirm the scrub unless the --force option |
| 359 | ** is used. |
| 360 | */ |
| 361 | void scrub_cmd(void){ |
| 362 | int bVerily = find_option("verily",0,0)!=0; |
| 363 | int bForce = find_option("force", "f", 0)!=0; |
| 364 | int bNeedRebuild = 0; |
| 365 | if( g.argc!=2 && g.argc!=3 ) usage("?REPOSITORY?"); |
| 366 | if( g.argc==2 ){ |
| 367 | db_must_be_within_tree(); |
| 368 | }else{ |
| 369 | db_open_repository(g.argv[2]); |
| 370 | } |
| 371 | if( !bForce ){ |
| 372 | Blob ans; |
| 373 | blob_zero(&ans); |
| 374 | prompt_user("Scrubbing the repository will permanently remove user\n" |
| 375 | "passwords and other information. Changes cannot be undone.\n" |
| 376 | "Continue [y/N]? ", &ans); |
| 377 | if( blob_str(&ans)[0]!='y' ){ |
| 378 | exit(1); |
| 379 | } |
| 380 | } |
| 381 | db_begin_transaction(); |
| 382 | db_multi_exec( |
| 383 | "UPDATE user SET pw='';" |
| 384 | "DELETE FROM config WHERE name='last-sync-url';" |
| 385 | ); |
| 386 | if( bVerily ){ |
| 387 | bNeedRebuild = db_exists("SELECT 1 FROM private"); |
| 388 | db_multi_exec( |
| 389 | "DELETE FROM concealed;" |
| 390 | "UPDATE rcvfrom SET ipaddr='unknown';" |
| 391 | "UPDATE user SET photo=NULL, info='';" |
| 392 | "INSERT INTO shun SELECT uuid FROM blob WHERE rid IN private;" |
| 393 | ); |
| 394 | } |
| 395 | if( !bNeedRebuild ){ |
| 396 | db_end_transaction(0); |
| 397 | db_multi_exec("VACUUM;"); |
| 398 | }else{ |
| 399 | rebuild_db(0, 1); |
| 400 | db_end_transaction(0); |
| 401 | } |
| 402 | } |
| 403 |