Feature request: Mask repository credentials in --verbose output #254
Description
Summary
Currently, if command line flag --verbose is given, python-inspector outputs all repositories and their respective credentials, including username and password in plain text.
In order to reduce the risk of an adversary gaining access to the password, please add masking of passwords in the printer that prints the log output.
Current behavior
When running python-inspector with --verbose, the tool prints information about all configured repositories, including:
- Repository URL or name
- Username
- Password in plain text
This means anyone with access to logs (local logs, CI logs, support dumps, etc.) can see the full password.
Requested behaviour
When the printer outputs credentials in --verbose mode, apply the following masking rules to the password:
- If the password has a length of less than 12 characters, output only:
*** - Else (password length ≥ 12), print: the first 3 characters of the password, then
***, then the last 3 characters of the password.
Example:abc***xyz
The username and other non-secret fields can remain unchanged.
Rationale
This feature would:
- Reduce the risk of leaking passwords to an acceptable level, because the full password is never printed.
- Still keep
--verboseuseful for support and maintenance: One can still verify whether the password used is the expected one by checking the visible prefix and suffix.
To stress it again:
Masking out the password completely would render the --verbose switch useless for troubleshooting.
The proposed partial masking (abc***xyz) keeps both security and usability in balance.