Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: GOPROXY credentials exposed in case of errors #30610
What version of Go are you using (
referenced this issue
Mar 6, 2019
Don't pass credentials in the
Proper HTTPS basic auth support is coming in #26232. At that point you won't need to encode it in the URL, and logging the URL will not leak anything. So I'm closing this issue as a duplicate of #26232, and in the interim please find some other way to inject your credentials (maybe another layer of GOPROXY?).
Passing credentials via
As seen in gomods/athens#1046 this is an issue that others already have noticed. The fact that Athens supports basic auth will increase the risk that others go down this path since proper auth isn't in place yet.
Even when proper auth is in place, will there be anything that prevents the user from still setting credentials in their
(CC @FiloSottile who might have something to add since he asked me to open this issue when I asked about it)
FWIW Once Go Modules supports proper authentication such as sending headers to GOPROXY we will make Athens accept that mechanism and probably remove the basic auth option.
That said, I also agree that Go should detect and reject credentials in the URL or at least detect and obfuscate them in logs.