Security: only forward auth to submodules on same host

Addresses credential exfiltration risk where a malicious .gitmodules could
point to an attacker-controlled server and receive the parent repo's auth.

- Add extractHost() to parse host from standard URLs and SCP-like URLs
- Add SameHost() to compare hosts (case-insensitive, ignores port)
- Only forward RepoAuth to submodule if hosts match
- Log warning when auth is not forwarded due to different host
- Add comprehensive tests for SameHost()

Author: bjornrobertsson

git/git.go

@@ -439,6 +439,32 @@ func ProgressWriter(write func(line string, args ...any)) io.WriteCloser {
 // This handles: git@github.com:org/repo, deploy@host:repo, user@10.0.0.5:project
 var scpLikeURLRegex = regexp.MustCompile(`^([^@]+)@([^:]+):(.+)$`)
 
+// extractHost extracts the host from a URL, handling both standard URLs and SCP-like URLs.
+// Returns empty string if host cannot be determined.
+func extractHost(u string) string {
+	// Try standard URL parsing first
+	if parsed, err := url.Parse(u); err == nil && parsed.Host != "" {
+		// Remove port if present
+		host := parsed.Hostname()
+		return strings.ToLower(host)
+	}
+
+	// Handle SCP-like URLs: user@host:path
+	if matches := scpLikeURLRegex.FindStringSubmatch(u); matches != nil {
+		return strings.ToLower(matches[2])
+	}
+
+	return ""
+}
+
+// SameHost checks if two URLs point to the same host.
+// Used to determine if credentials should be forwarded to submodules.
+func SameHost(url1, url2 string) bool {
+	host1 := extractHost(url1)
+	host2 := extractHost(url2)
+	return host1 != "" && host2 != "" && host1 == host2
+}
+
 // RedactURL redacts credentials from a URL for safe logging.
 // Handles:
 //   - Standard URLs with userinfo: https://user:pass@host, https://token@host
@@ -627,6 +653,16 @@ func cloneSubmodule(ctx context.Context, logf func(string, ...any), parentWorktr
 		return fmt.Errorf("chroot to submodule path: %w", err)
 	}
 
+	// Security: Only forward parent repo auth if submodule is on the same host.
+	// This prevents credential exfiltration if a malicious .gitmodules points
+	// to an attacker-controlled server.
+	var submoduleAuth transport.AuthMethod
+	if SameHost(opts.RepoURL, resolvedURL) {
+		submoduleAuth = opts.RepoAuth
+	} else if opts.RepoAuth != nil {
+		logf("  ⚠ Not forwarding auth to submodule (different host: %s)", extractHost(resolvedURL))
+	}
+
 	// Check if already cloned
 	_, err = subFS.Stat(".git")
 	if err == nil {
@@ -675,7 +711,7 @@ func cloneSubmodule(ctx context.Context, logf func(string, ...any), parentWorktr
 	// Use SingleBranch=false to fetch all branches so we can find the commit
 	subRepo, err := git.CloneContext(ctx, gitStorage, subFS, &git.CloneOptions{
 		URL:             resolvedURL,
-		Auth:            opts.RepoAuth,
+		Auth:            submoduleAuth,
 		Progress:        opts.Progress,
 		InsecureSkipTLS: opts.Insecure,
 		CABundle:        opts.CABundle,
@@ -698,7 +734,7 @@ func cloneSubmodule(ctx context.Context, logf func(string, ...any), parentWorktr
 			RefSpecs: []config.RefSpec{
 				config.RefSpec("+" + expectedHash.String() + ":" + expectedHash.String()),
 			},
-			Auth:            opts.RepoAuth,
+			Auth:            submoduleAuth,
 			Progress:        opts.Progress,
 			InsecureSkipTLS: opts.Insecure,
 			CABundle:        opts.CABundle,
@@ -709,7 +745,7 @@ func cloneSubmodule(ctx context.Context, logf func(string, ...any), parentWorktr
 			logf("  Direct fetch failed, fetching all refs...")
 			err = subRepo.FetchContext(ctx, &git.FetchOptions{
 				RemoteName:      "origin",
-				Auth:            opts.RepoAuth,
+				Auth:            submoduleAuth,
 				Progress:        opts.Progress,
 				InsecureSkipTLS: opts.Insecure,
 				CABundle:        opts.CABundle,

git/git_test.go

@@ -680,6 +680,104 @@ func TestRedactURL(t *testing.T) {
 	}
 }
 
+func TestSameHost(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name   string
+		url1   string
+		url2   string
+		expect bool
+	}{
+		// Same host cases
+		{
+			name:   "https same host",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "https://github.com/other/submodule.git",
+			expect: true,
+		},
+		{
+			name:   "https and scp same host",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "git@github.com:other/submodule.git",
+			expect: true,
+		},
+		{
+			name:   "scp same host",
+			url1:   "git@github.com:org/repo.git",
+			url2:   "git@github.com:other/submodule.git",
+			expect: true,
+		},
+		{
+			name:   "case insensitive",
+			url1:   "https://GitHub.com/org/repo.git",
+			url2:   "https://github.com/other/submodule.git",
+			expect: true,
+		},
+		{
+			name:   "with port same host",
+			url1:   "https://github.com:443/org/repo.git",
+			url2:   "https://github.com/other/submodule.git",
+			expect: true,
+		},
+		{
+			name:   "ssh scheme same host",
+			url1:   "ssh://git@github.com/org/repo.git",
+			url2:   "https://github.com/other/submodule.git",
+			expect: true,
+		},
+
+		// Different host cases
+		{
+			name:   "different hosts",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "https://gitlab.com/other/submodule.git",
+			expect: false,
+		},
+		{
+			name:   "scp different hosts",
+			url1:   "git@github.com:org/repo.git",
+			url2:   "git@evil.com:exfiltrate/creds.git",
+			expect: false,
+		},
+		{
+			name:   "subdomain is different",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "https://api.github.com/other/submodule.git",
+			expect: false,
+		},
+
+		// Edge cases
+		{
+			name:   "empty url1",
+			url1:   "",
+			url2:   "https://github.com/other/submodule.git",
+			expect: false,
+		},
+		{
+			name:   "relative url",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "../other/submodule.git",
+			expect: false,
+		},
+		{
+			name:   "file path",
+			url1:   "https://github.com/org/repo.git",
+			url2:   "/local/path/to/repo",
+			expect: false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := git.SameHost(tc.url1, tc.url2)
+			require.Equal(t, tc.expect, got)
+		})
+	}
+}
+
 func TestResolveSubmoduleURL(t *testing.T) {
 	t.Parallel()