Using Gem::PrintableUri in Gem::Request class

The `@uri` variable could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it when logging on verbose mode.
rubygems · Aug 24, 2021 · f566787 · f566787
1 parent 8755ee0
commit f566787
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/lib/rubygems/request.rb b/lib/rubygems/request.rb
@@ -184,14 +184,15 @@ def self.get_proxy_from_env(scheme = 'http')
 
   def perform_request(request) # :nodoc:
     connection = connection_for @uri
+    uri = Gem::PrintableUri.parse_uri(@uri)
 
     retried = false
     bad_response = false
 
     begin
       @requests[connection.object_id] += 1
 
-      verbose "#{request.method} #{@uri}"
+      verbose "#{request.method} #{uri}"
 
       file_name = File.basename(@uri.path)
       # perform download progress reporter only for gems

diff --git a/test/rubygems/test_gem_request.rb b/test/rubygems/test_gem_request.rb
@@ -197,27 +197,53 @@ def test_fetch
   end
 
   def test_fetch_basic_auth
+    Gem.configuration.verbose = :really
     uri = URI.parse "https://user:pass@example.rubygems/specs.#{Gem.marshal_version}"
     conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
-      @request = make_request(uri, Net::HTTP::Get, nil, nil)
-      @request.fetch
+      use_ui @ui do
+        @request = make_request(uri, Net::HTTP::Get, nil, nil)
+        @request.fetch
+      end
       c
     end
 
     auth_header = conn.payload['Authorization']
     assert_equal "Basic #{Base64.encode64('user:pass')}".strip, auth_header
+    assert_includes @ui.output, "GET https://user:REDACTED@example.rubygems/specs.#{Gem.marshal_version}"
   end
 
   def test_fetch_basic_auth_encoded
+    Gem.configuration.verbose = :really
     uri = URI.parse "https://user:%7BDEScede%7Dpass@example.rubygems/specs.#{Gem.marshal_version}"
+
     conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
-      @request = make_request(uri, Net::HTTP::Get, nil, nil)
-      @request.fetch
+      use_ui @ui do
+        @request = make_request(uri, Net::HTTP::Get, nil, nil)
+        @request.fetch
+      end
       c
     end
 
     auth_header = conn.payload['Authorization']
     assert_equal "Basic #{Base64.encode64('user:{DEScede}pass')}".strip, auth_header
+    assert_includes @ui.output, "GET https://user:REDACTED@example.rubygems/specs.#{Gem.marshal_version}"
+  end
+
+  def test_fetch_basic_oauth_encoded
+    Gem.configuration.verbose = :really
+    uri = URI.parse "https://%7BDEScede%7Dpass:x-oauth-basic@example.rubygems/specs.#{Gem.marshal_version}"
+
+    conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
+      use_ui @ui do
+        @request = make_request(uri, Net::HTTP::Get, nil, nil)
+        @request.fetch
+      end
+      c
+    end
+
+    auth_header = conn.payload['Authorization']
+    assert_equal "Basic #{Base64.encode64('{DEScede}pass:x-oauth-basic')}".strip, auth_header
+    assert_includes @ui.output, "GET https://REDACTED:x-oauth-basic@example.rubygems/specs.#{Gem.marshal_version}"
   end
 
   def test_fetch_head