Skip to main content

git_credential_helper

Function git_credential_helper 

Source
pub fn git_credential_helper(
    cred: &Credential,
    expect_host: Option<&str>,
) -> GitCredentialHelper
Expand description

Build a git credential.helper invocation that supplies cred over HTTPS while keeping the secret out of argv (which is broadly observable). The returned config_args install an inline helper that prints the credential read from two environment variables; the secret value appears only in env, i.e. the child process environment. A leading empty credential.helper= first clears any inherited helper so only ours runs.

The helper is a tiny POSIX-shell snippet: git runs credential.helper values that begin with ! via the shell it ships with (so this works on Windows too, where Git for Windows bundles its own sh — it never goes through cmd.exe). It applies to HTTPS remotes only: git invokes a credential helper just for HTTP(S) user/password auth, so an SSH remote ignores it and falls through to the SSH agent. It is opt-in — built only when a CredentialProvider yields a credential — so the default path is unchanged. The helper answers only git’s get action (never store/erase), so the secret is never written to a credential cache or config; it lives only in the child’s environment.

The username/secret must not contain a newline: git’s credential protocol is line-based, so an embedded \n is read as the end of the value (git truncates there). Real tokens and usernames never contain one.

expect_host scopes the credential to a host: when Some, the helper reads git’s request (which names the host git is about to authenticate to) and releases the secret only if that host matches — so a cross-host redirect or a submodule fetch to another host can’t extract the token. None (or an unknown host) leaves the helper ungated. Callers that know the operation’s target (e.g. clone from its URL) pass https_host of it.