1

We use Git repository in TFS in our organization. Recently it has been noticed that users can see other users domain passwords in a "pull requests" history.

When I go to the Git repository in TFS web access -> Pull requests -> Completed and open it - in the "Commits" tab I can see an entry such as 

36214
c133bb by danyl < USER's AD PASSWORD HERE >, 6 hours ago

What is it, TFS bug or configuration error?

We are using AD integration for TFS. All Git users are Active Directory users

TFS version: 14.95.25122.0 (Tfs2015.Update2)

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
Vitaly Lyashenko
  • 11
  • 2
  • 3
    What is the setting of that user's `user.email` configuration setting? You can run `git config user.email` to see it. I'll wager a decent hunk of money that they've put their password where their email should go. – Edward Thomson May 06 '16 at 17:10
  • But we are using AD integration for TFS. All Git users are Active Directory users – Vitaly Lyashenko May 06 '16 at 18:25
  • What they enter in their Git user settings will be registered as the Comitter and Athor. TFS will store the AD credentials as Committer. – jessehouwing May 06 '16 at 19:11
  • If @EdwardThomson is right, then this post will help you clean up your archive. It will require force-push though. http://stackoverflow.com/a/23564785/736079 It depends on Bash shell. – jessehouwing May 06 '16 at 19:39
  • 1
    @VitalyLyashenko It doesn't matter if they're AD users or not. Users are prompted to enter their email address, and that user likely fat-fingered and entered their password out of habit. Understandable, and has nothing to do with AD or anything else. Run `git config user.email` and see what it says. – Edward Thomson May 06 '16 at 20:35
  • @EdwardThomson, @ jessehouwing Thanks. Several users made the same misconfiguration – Vitaly Lyashenko May 07 '16 at 12:05

0 Answers0