Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets in URLs are displayed in plaintext but should be redacted #1714

Open
zanieb opened this issue Feb 19, 2024 · 3 comments
Open

Secrets in URLs are displayed in plaintext but should be redacted #1714

zanieb opened this issue Feb 19, 2024 · 3 comments
Labels
security

Comments

@zanieb
Copy link
Member

zanieb commented Feb 19, 2024

e.g.

uv pip install "uv-private-pypackage@git+https://$GITHUB_TOKEN@github.com/astral-test/uv-private-pypackage"
Updating https://github_pat_blaslgmaskgnsaiugbasufbasbfsahufbs/ (github.com/astra
⠙ Resolving dependencies...
@zanieb
Copy link
Member Author

zanieb commented Feb 19, 2024

pip has some inconsistent behavior here

Collecting uv-private-pypackage@ git+https://github_pat_blaslgmaskgnsaiugbasufbasbfsahufbs@github.com/astral-test/uv-private-pypackage
  Cloning https://****@github.com/astral-test/uv-private-pypackage to /private/var/folders/bc/qlsk3t6x7c9fhhbvvcg68k9c0000gp/T/pip-install-ch2lbg94/uv-private-pypackage_4d0cd18db04c42f0bd628080e4bf5722
  Running command git clone --filter=blob:none --quiet 'https://****@github.com/astral-test/uv-private-pypackage' /private/var/folders/bc/qlsk3t6x7c9fhhbvvcg68k9c0000gp/T/pip-install-ch2lbg94/uv-private-pypackage_4d0cd18db04c42f0bd628080e4bf5722

@charliermarsh
Copy link
Member

Is it fair to assume that we should always redact the segment preceding the @?

@zanieb
Copy link
Member Author

zanieb commented Feb 19, 2024

Probably!

@zanieb zanieb mentioned this issue Feb 19, 2024
Merged
@zanieb zanieb mentioned this issue Apr 10, 2024
Closed
@zanieb zanieb mentioned this issue Apr 17, 2024
Closed
@zanieb zanieb mentioned this issue Jul 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@charliermarsh @zanieb