1

We had a developer submit a PR that had a plain text password in it. The reviewer asked it to be removed and loaded in another way so it didn't make its way into the repo. It has since been fixed. However, the history of the PR still shows the original commit with the password. Is there any way to remove a portion of the history of the PR (or if necessary the entire PR) so that other users cannot view that password?

If there isn't a supported answer, we happen to be using AzDev 2019 server, which I believe should enable us to remove it somehow...

Note in this case we can just change the password, so this isn't a deal-breaker, but it would be nice to know how to do this for future occurrences where changing a password is more difficult.

TTT
  • 22,611
  • 8
  • 63
  • 69

3 Answers3

2

It's not able to delete a Pull Request at the moment in Azure DevOps Sever.

We already have a user voice in Develop Community feature request site. Kindly vote up and track the status.

Allow deletion of pull requests

https://developercommunityapi.westus.cloudapp.azure.com/idea/365572/allow-deletion-of-pull-requests.html

If you hadn't commit the pull request, we give an option to abandon the pull request which leaves them hanging around.

This should be a team process policy to avoid users commit plain-text password. Changing the password, that's the safest option.

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62
0

I see your point but the rule of thumb is - if password was exposed you should revoke it asap.

You can also try this:

To replace all text listed in passwords.txt wherever it can be found in your repository's history, run:

$ bfg --replace-text passwords.txt

I was looking at REST API for Pull requests, but there is nothing about removing it.

Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
0

I have encountered a similar problem and one solution could be to remove the repository in Azure which would remove the history as well. So fixing the issues locally then creating a new remote repo for the branch would be a way to go.

David Barth
  • 1
  • 1
    If I understand what you're suggesting, it would go something like this: 1) clone the repo and rewrite the branch with the password in it. 2) Delete the repo in AzDO. 3.) Re-push the entire repo back out. - I agree that would fix the issue, but **I think the side effects would be far too painful.** *Maybe* all the links would reconnect afterwards, but I'm guessing you would lose all of the orphaned commits from the history of each PR, plus all of your individual branch security and policies would be gone. – TTT Dec 30 '22 at 18:06
  • I'm not sure what you mean by 'links reconnect'. – David Barth Jan 05 '23 at 22:58
  • My case was a simple case where I could just reset to an early commit at the early stage of a POC to remove the offending lines I didn't need. Then I recreated the repo on Azure, set it to remote for the local and push. The old history was gone. It was a new repo and nothing else showed just what I had in my local. Tested with a play repo with an existing PR and then abandoned PR and it wasn't in history. Removing repo is destructive. – David Barth Jan 05 '23 at 23:06
  • (I'm not entirely sure what I meant by that either!) I suppose I meant that work items and PRs have links to commits. If you delete the repo, and then push it back out, will those links stay pointing to those commits, are do the links disappear? (I've never tried but I'd guess they would still exist and just be dead links until the commits come back.) But all the previously orphaned commits, say from rebasing and re-pushing new updates to a PR, would be dead links from then on. – TTT Jan 05 '23 at 23:06
  • I think if you remove the repo on Azure it's gone and everything linked to it is gone. Worth to test a more complex example where you recreate the scenario and see what happens. I'm learning Azure as we speak but had some experience with it before but this issue didn't come accross for me before. Would be very cautious with a big project or just straight revoke pswd as suggested by others. – David Barth Jan 05 '23 at 23:10