Check that UpdateRepository#{inspect,to_s} don't leak sensitive info

yast · Feb 15, 2017 · bb6ccf0 · bb6ccf0
1 parent 0b6adb0
commit bb6ccf0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/src/lib/installation/update_repository.rb b/src/lib/installation/update_repository.rb
@@ -269,8 +269,7 @@ def remote?
     #
     # @return [String] Debugging information
     def inspect
-      safe_url = Yast::URL.HidePassword(uri.to_s)
-      "#<Installation::UpdateRepository> @uri=\"#{safe_url}\" @origin=#{@origin.inspect}"
+      "#<Installation::UpdateRepository> @uri=\"#{safe_uri}\" @origin=#{@origin.inspect}"
     end
 
   private
@@ -459,5 +458,14 @@ def init_progress
     def update_progress(percent)
       Yast::Progress.Step(percent)
     end
+
+    # Returns the URI removing sensitive information
+    #
+    # @return [String] URI without the password (if present)
+    #
+    # @see Yast::URL.HidePassword
+    def safe_uri
+      @safe_uri ||= Yast::URL.HidePassword(uri.to_s)
+    end
   end
 end
diff --git a/test/update_repository_test.rb b/test/update_repository_test.rb
@@ -295,4 +295,20 @@
       end
     end
   end
+
+  describe "#inspect" do
+    let(:uri) { URI("http://user:123456@updates.suse.com") }
+
+    it "does not contain sensitive information" do
+      expect(repo.inspect).to_not include("123456")
+    end
+  end
+
+  describe "#to_s" do
+    let(:uri) { URI("http://user:123456@updates.suse.com") }
+
+    it "does not contain sensitive information" do
+      expect(repo.to_s).to_not include("123456")
+    end
+  end
 end