rubygems#1440. hide basic auth creds from custom sources

hone · Oct 1, 2011 · 7cc4699 · 7cc4699
1 parent 82d4e19
commit 7cc4699
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 19 deletions.
diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb
@@ -84,7 +84,7 @@ def fetch_remote_specs(gem_names, full_dependency_list = [], last_spec_list = []
       query_list = gem_names - full_dependency_list
       # only display the message on the first run
       if full_dependency_list.empty?
-        Bundler.ui.info "Fetching dependency information from the API at #{@remote_uri}", false
+        Bundler.ui.info "Fetching dependency information from the API at #{strip_user_pass_from_uri(@remote_uri)}", false
       else
         Bundler.ui.info ".", false
       end
@@ -176,7 +176,7 @@ def fetch_dependency_remote_specs(gem_names)
     # fetch from modern index: specs.4.8.gz
     def fetch_all_remote_specs
       @has_api = false
-      Bundler.ui.info "Fetching source index for #{@remote_uri}"
+      Bundler.ui.info "Fetching source index for #{strip_user_pass_from_uri(@remote_uri)}"
       Bundler.ui.debug "Fetching modern index"
       Gem.sources = ["#{@remote_uri}"]
       spec_list = Hash.new { |h,k| h[k] = [] }
@@ -187,13 +187,21 @@ def fetch_all_remote_specs
         begin
           Gem::SpecFetcher.new.list(false, true).each {|k, v| spec_list[k] += v }
         rescue Gem::RemoteFetcher::FetchError
-          Bundler.ui.warn "Could not fetch prerelease specs from #{@remote_uri}"
+          Bundler.ui.warn "Could not fetch prerelease specs from #{strip_user_pass_from_uri(@remote_uri)}"
         end
       rescue Gem::RemoteFetcher::FetchError
-        raise Bundler::HTTPError, "Could not reach #{@remote_uri}"
+        raise Bundler::HTTPError, "Could not reach #{strip_user_pass_from_uri(@remote_uri)}"
       end
 
       return spec_list
     end
+
+    def strip_user_pass_from_uri(uri)
+      uri_dup = uri.dup
+      uri_dup.user = "****" if uri_dup.user
+      uri_dup.password = "****" if uri_dup.password
+
+      uri_dup
+    end
   end
 end
diff --git a/spec/install/gems/dependency_api_spec.rb b/spec/install/gems/dependency_api_spec.rb
@@ -53,21 +53,6 @@
     should_be_installed "rack 1.0.0"
   end
 
-  it "passes basic authentication details" do
-    uri = URI.parse(source_uri)
-    uri.user = "hello"
-    uri.password = "there"
-
-    gemfile <<-G
-      source "#{uri}"
-      gem "rack"
-    G
-
-    bundle :install, :artifice => "endpoint_basic_authentication"
-    out.should include("Fetching dependency information from the API at #{uri}")
-    should_be_installed "rack 1.0.0"
-  end
-
   it "handles git dependencies that are in rubygems" do
     build_git "foo" do |s|
       s.executables = "foobar"
@@ -303,4 +288,40 @@
 
     vendored_gems("bin/rackup").should exist
   end
+
+  it "passes basic authentication details and strips out creds" do
+    uri = URI.parse(source_uri)
+    uri.user = "hello"
+    uri.password = "there"
+
+    gemfile <<-G
+      source "#{uri}"
+      gem "rack"
+    G
+
+    bundle :install, :artifice => "endpoint_basic_authentication"
+    out.should_not include("hello:there")
+    should_be_installed "rack 1.0.0"
+  end
+
+  it "strips http basic authentication creds for modern index" do
+    gemfile <<-G
+      source "http://user:pass@localgameserver.test"
+      gem "rack"
+    G
+
+    bundle :install, :artifice => "endopint_marshal_fail_basic_authentication"
+    out.should_not include("user:pass")
+    should_be_installed "rack 1.0.0"
+  end
+
+  it "strips http basic auth creds when it can't reach the server" do
+    gemfile <<-G
+      source "http://user:pass@foo.com"
+      gem "rack"
+    G
+
+    bundle :install, :artifice => "endpoint_500"
+    out.should_not include("user:pass")
+  end
 end
diff --git a/spec/support/artifice/endopint_marshal_fail_basic_authentication.rb b/spec/support/artifice/endopint_marshal_fail_basic_authentication.rb
@@ -0,0 +1,13 @@
+require File.expand_path("../endpoint_marshal_fail", __FILE__)
+
+Artifice.deactivate
+
+class EndpointMarshalFailBasicAuthentication < EndpointMarshalFail
+  before do
+    unless env["HTTP_AUTHORIZATION"]
+      halt 401, "Authentication info not supplied"
+    end
+  end
+end
+
+Artifice.activate_with(EndpointMarshalFailBasicAuthentication)
diff --git a/spec/support/artifice/endpoint_500.rb b/spec/support/artifice/endpoint_500.rb
@@ -0,0 +1,37 @@
+require File.expand_path("../../path.rb", __FILE__)
+include Spec::Path
+
+$LOAD_PATH.unshift "#{Dir[base_system_gems.join("gems/artifice*/lib")].first}"
+$LOAD_PATH.unshift "#{Dir[base_system_gems.join("gems/rack-*/lib")].first}"
+$LOAD_PATH.unshift "#{Dir[base_system_gems.join("gems/rack-*/lib")].last}"
+$LOAD_PATH.unshift "#{Dir[base_system_gems.join("gems/tilt*/lib")].first}"
+$LOAD_PATH.unshift "#{Dir[base_system_gems.join("gems/sinatra*/lib")].first}"
+
+require 'artifice'
+require 'sinatra/base'
+
+Artifice.deactivate
+
+class Endpoint500 < Sinatra::Base
+  get "/quick/Marshal.4.8/:id" do
+    halt 500
+  end
+
+  get "/fetch/actual/gem/:id" do
+    halt 500
+  end
+
+  get "/gems/:id" do
+    halt 500
+  end
+
+  get "/api/v1/dependencies" do
+    halt 500
+  end
+
+  get "/specs.4.8.gz" do
+    halt 500
+  end
+end
+
+Artifice.activate_with(Endpoint500)