Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redact single-part login credentials from URLs. #6891

Closed
chrahunt opened this issue Aug 18, 2019 · 2 comments · Fixed by #6921

Comments

@chrahunt
Copy link
Member

@chrahunt chrahunt commented Aug 18, 2019

What's the problem this feature will solve?

Currently pip._internals.utils.misc.redact_password_from_url does the following:

  1. input: http://hello:foo@foo.com/bar; output: http://hello:****@foo.com/bar
  2. input: http://hello@foo.com/bar; output: http://hello@foo.com/bar

This can be bad and still leak credentials for index servers that use a single API token for login, for example:

  1. input: https://accesstoken@github.com; output: https://accesstoken@github.com

Describe the solution you'd like

When the auth portion of a URL consists of a single element, we should be redacting it.

This should require renaming pip._internal.utils.misc.redact_password_from_url to redact_auth_from_url and updating the behavior so that if only a username is present, then it will be redacted.

Some tests that will also need to be updated:

  1. tests.unit.test_utils.test_redact_netloc
  2. tests.unit.test_utils.test_redact_password_from_url

Alternative Solutions

  1. Do nothing

Additional context

This was mentioned as an issue on PR #6890.

For an example of when this single-part login is used, see #6796.


This issue is a good starting point for anyone who wants to help out with pip's development -- it's simple and the process of fixing this should be a good introduction to pip's development workflow.

@cjerdonek

This comment has been minimized.

Copy link
Member

@cjerdonek cjerdonek commented Aug 23, 2019

@chrahunt Were you going to mark this "good first issue" with instructions?

@chrahunt

This comment has been minimized.

Copy link
Member Author

@chrahunt chrahunt commented Aug 25, 2019

Yes, thanks for the reminder! I have updated the issue description.

@lock lock bot added the S: auto-locked label Sep 25, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Sep 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
2 participants
You can’t perform that action at this time.