Fixes #20902 : Avoid conflict when Git URL contains embedded username

When cloning Git data sources with URLs containing embedded usernames (e.g., https://user@bitbucket.org/...), NetBox was also passing explicit username/password kwargs to dulwich, causing authentication failures. Now checks for URL-embedded credentials before passing explicit kwargs.
Support for max_length and max_depth standardised for prefix_list, aggreate/prefixes and prefix/prefixes
2026-01-22 11:38:45 -06:00 · 2026-01-21 15:24:44 -06:00 · 2026-01-21 10:02:06 -05:00
7 changed files with 109 additions and 35 deletions
--- a/netbox/core/data_backends.py
+++ b/netbox/core/data_backends.py
@@ -102,7 +102,10 @@ class GitBackend(DataBackend):
            clone_args['pool_manager'] = ProxyPoolManager(self.socks_proxy)

        if self.url_scheme in ('http', 'https'):
-            if self.params.get('username'):
+            # Only pass explicit credentials if URL doesn't already contain embedded username
+            # to avoid credential conflicts
+            parsed_url = urlparse(self.url)
+            if not parsed_url.username and self.params.get('username'):
                clone_args.update(
                    {
                        "username": self.params.get('username'),
--- a/netbox/core/tests/test_data_backends.py
+++ b/netbox/core/tests/test_data_backends.py
@@ -0,0 +1,59 @@
+from unittest.mock import patch
+
+from django.test import TestCase
+
+from core.data_backends import GitBackend
+
+
+class GitBackendCredentialTests(TestCase):
+
+    def _get_clone_kwargs(self, url, **params):
+        backend = GitBackend(url=url, **params)
+
+        with patch('dulwich.porcelain.clone') as mock_clone, \
+             patch('dulwich.porcelain.NoneStream'):
+            try:
+                with backend.fetch():
+                    pass
+            except Exception:
+                pass
+
+            if mock_clone.called:
+                return mock_clone.call_args.kwargs
+            return {}
+
+    def test_url_with_embedded_username_skips_explicit_credentials(self):
+        kwargs = self._get_clone_kwargs(
+            url='https://myuser@bitbucket.org/workspace/repo.git',
+            username='myuser',
+            password='my-api-key'
+        )
+
+        self.assertEqual(kwargs.get('username'), None)
+        self.assertEqual(kwargs.get('password'), None)
+
+    def test_url_without_embedded_username_passes_explicit_credentials(self):
+        kwargs = self._get_clone_kwargs(
+            url='https://bitbucket.org/workspace/repo.git',
+            username='myuser',
+            password='my-api-key'
+        )
+
+        self.assertEqual(kwargs.get('username'), 'myuser')
+        self.assertEqual(kwargs.get('password'), 'my-api-key')
+
+    def test_url_with_embedded_username_no_explicit_credentials(self):
+        kwargs = self._get_clone_kwargs(
+            url='https://myuser@bitbucket.org/workspace/repo.git'
+        )
+
+        self.assertEqual(kwargs.get('username'), None)
+        self.assertEqual(kwargs.get('password'), None)
+
+    def test_public_repo_no_credentials(self):
+        kwargs = self._get_clone_kwargs(
+            url='https://github.com/public/repo.git'
+        )
+
+        self.assertEqual(kwargs.get('username'), None)
+        self.assertEqual(kwargs.get('password'), None)
--- a/netbox/templates/ipam/aggregate/prefixes.html
+++ b/netbox/templates/ipam/aggregate/prefixes.html
@@ -3,6 +3,8 @@

 {% block extra_controls %}
  {% include 'ipam/inc/toggle_available.html' %}
+  {% include 'ipam/inc/max_depth.html' %}
+  {% include 'ipam/inc/max_length.html' %}  
  {% if perms.ipam.add_prefix and first_available_prefix %}
    <a href="{% url 'ipam:prefix_add' %}?prefix={{ first_available_prefix }}" class="btn btn-primary">
      <i class="mdi mdi-plus-thick" aria-hidden="true"></i> {% trans "Add Prefix" %}
--- a/netbox/templates/ipam/inc/max_depth.html
+++ b/netbox/templates/ipam/inc/max_depth.html
@@ -0,0 +1,20 @@
+{% load i18n %}
+{% load helpers %}
+
+<div class="dropdown">
+    <button class="btn btn-outline-secondary dropdown-toggle" type="button" id="max_depth" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
+        {% trans "Max Depth" %}{% if "depth__lte" in request.GET %}: {{ request.GET.depth__lte }}{% endif %}
+    </button>
+    <ul class="dropdown-menu" aria-labelledby="max_depth">
+        {% if request.GET.depth__lte %}
+            <li>
+                <a class="dropdown-item" href="{{ request.path }}{% querystring request depth__lte=None page=1 %}">{% trans "Clear" %}</a>
+            </li>
+        {% endif %}
+        {% for i in 16|as_range %}
+            <li><a class="dropdown-item" href="{{ request.path }}{% querystring request depth__lte=i page=1 %}">
+                {{ i }} {% if request.GET.depth__lte == i %}<i class="mdi mdi-check-bold"></i>{% endif %}
+            </a></li>
+        {% endfor %}
+    </ul>
+</div>
--- a/netbox/templates/ipam/inc/max_length.html
+++ b/netbox/templates/ipam/inc/max_length.html
@@ -0,0 +1,20 @@
+{% load i18n %}
+{% load helpers %}
+
+<div class="dropdown">
+    <button class="btn btn-outline-secondary dropdown-toggle" type="button" id="max_length" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
+        {% trans "Max Length" %}{% if "mask_length__lte" in request.GET %}: {{ request.GET.mask_length__lte }}{% endif %}
+    </button>
+    <ul class="dropdown-menu" aria-labelledby="max_length">
+        {% if request.GET.mask_length__lte %}
+            <li>
+                <a class="dropdown-item" href="{{ request.path }}{% querystring request mask_length__lte=None page=1 %}">{% trans "Clear" %}</a>
+            </li>
+        {% endif %}
+        {% for i in "4,8,12,16,20,24,28,32,40,48,56,64"|split %}
+            <li><a class="dropdown-item" href="{{ request.path }}{% querystring request mask_length__lte=i page=1 %}">
+                {{ i }} {% if request.GET.mask_length__lte == i %}<i class="mdi mdi-check-bold"></i>{% endif %}
+            </a></li>
+        {% endfor %}
+    </ul>
+</div>
--- a/netbox/templates/ipam/prefix/prefixes.html
+++ b/netbox/templates/ipam/prefix/prefixes.html
@@ -3,6 +3,8 @@

 {% block extra_controls %}
  {% include 'ipam/inc/toggle_available.html' %}
+  {% include 'ipam/inc/max_depth.html' %}
+  {% include 'ipam/inc/max_length.html' %}  
  {% if perms.ipam.add_prefix and first_available_prefix %}
    <a href="{% url 'ipam:prefix_add' %}?prefix={{ first_available_prefix }}&vrf={{ object.vrf.pk }}&site={{ object.site.pk }}&tenant_group={{ object.tenant.group.pk }}&tenant={{ object.tenant.pk }}" class="btn btn-primary">
      <i class="mdi mdi-plus-thick" aria-hidden="true"></i> {% trans "Add Prefix" %}
--- a/netbox/templates/ipam/prefix_list.html
+++ b/netbox/templates/ipam/prefix_list.html
@@ -6,38 +6,6 @@
    <button class="btn btn-outline-secondary toggle-depth" type="button">
        {% trans "Hide Depth Indicators" %}
    </button>
-    <div class="dropdown">
-        <button class="btn btn-outline-secondary dropdown-toggle" type="button" id="max_depth" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
-            {% trans "Max Depth" %}{% if "depth__lte" in request.GET %}: {{ request.GET.depth__lte }}{% endif %}
-        </button>
-        <ul class="dropdown-menu" aria-labelledby="max_depth">
-            {% if request.GET.depth__lte %}
-                <li>
-                    <a class="dropdown-item" href="{% url 'ipam:prefix_list' %}{% querystring request depth__lte=None page=1 %}">{% trans "Clear" %}</a>
-                </li>
-            {% endif %}
-            {% for i in 16|as_range %}
-                <li><a class="dropdown-item" href="{% url 'ipam:prefix_list' %}{% querystring request depth__lte=i page=1 %}">
-                    {{ i }} {% if request.GET.depth__lte == i %}<i class="mdi mdi-check-bold"></i>{% endif %}
-                </a></li>
-            {% endfor %}
-        </ul>
-    </div>
-    <div class="dropdown">
-        <button class="btn btn-outline-secondary dropdown-toggle" type="button" id="max_length" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
-            {% trans "Max Length" %}{% if "mask_length__lte" in request.GET %}: {{ request.GET.mask_length__lte }}{% endif %}
-        </button>
-        <ul class="dropdown-menu" aria-labelledby="max_length">
-            {% if request.GET.mask_length__lte %}
-                <li>
-                    <a class="dropdown-item" href="{% url 'ipam:prefix_list' %}{% querystring request mask_length__lte=None page=1 %}">{% trans "Clear" %}</a>
-                </li>
-            {% endif %}
-            {% for i in "4,8,12,16,20,24,28,32,40,48,56,64"|split %}
-                <li><a class="dropdown-item" href="{% url 'ipam:prefix_list' %}{% querystring request mask_length__lte=i page=1 %}">
-                    {{ i }} {% if request.GET.mask_length__lte == i %}<i class="mdi mdi-check-bold"></i>{% endif %}
-                </a></li>
-            {% endfor %}
-        </ul>
-    </div>
+    {% include 'ipam/inc/max_depth.html' %}
+    {% include 'ipam/inc/max_length.html' %}
 {% endblock %}
Author	SHA1	Message	Date
Jason Novinger	7eedefb2df	Fixes #20902 : Avoid conflict when Git URL contains embedded username When cloning Git data sources with URLs containing embedded usernames (e.g., https://user@bitbucket.org/...), NetBox was also passing explicit username/password kwargs to dulwich, causing authentication failures. Now checks for URL-embedded credentials before passing explicit kwargs.	2026-01-21 15:24:44 -06:00
Matthew Papaleo	339ad455e4	Support for max_length and max_depth standardised for prefix_list, aggreate/prefixes and prefix/prefixes Some checks failed CI / build (20.x, 3.12) (push) Has been cancelled Details CI / build (20.x, 3.13) (push) Has been cancelled Details CI / build (20.x, 3.14) (push) Has been cancelled Details CodeQL / Analyze (actions) (push) Has been cancelled Details CodeQL / Analyze (javascript-typescript) (push) Has been cancelled Details CodeQL / Analyze (python) (push) Has been cancelled Details	2026-01-21 10:02:06 -05:00