Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--help output does not redact password from configured index_url #9160

Closed
cdunklau-dt opened this issue Nov 23, 2020 · 1 comment · Fixed by #9163
Closed

--help output does not redact password from configured index_url #9160

cdunklau-dt opened this issue Nov 23, 2020 · 1 comment · Fixed by #9163
Labels
type: bug A confirmed bug or unintended behavior

Comments

@cdunklau-dt
Copy link

Environment

  • pip version: 20.2.4
  • Python version: 3.8.6
  • OS: Windows 10

Description

The help text for at least the install and wheel subcommands (likely others too) display the full configured index URL as a default, without redacting credentials:

Package Index Options:
  -i, --index-url <url>       Base URL of the Python Package Index (default https://us
                              er:SuperSecret@mypypi.example.com/api/pypi/simple). This
                              should point to a repository compliant with PEP 503 (the
                              simple repository API) or a local directory laid out in
                              the same format.

The URL is coming from pip.ini in C:\Users\cdunklau\AppData\Roaming\pip\pip.ini:

[global]
index-url = https://user:SuperSecret@mypypi.example.com/api/pypi/simple

Expected behavior

Pip should redact the password, as it does in log entries involving a custom index URL, e.g.:

Package Index Options:
  -i, --index-url <url>       Base URL of the Python Package Index (default https://us
                              er:****@mypypi.example.com/api/pypi/simple). This
                              should point to a repository compliant with PEP 503 (the
                              simple repository API) or a local directory laid out in
                              the same format.

How to Reproduce

  1. Configure a custom index-url in pip.ini with credentials, as above
  2. Run pip install --help
  3. Observe the password is not redacted in the help text
@xavfernandez xavfernandez added good first issue A good item for first time contributors to work on type: bug A confirmed bug or unintended behavior and removed good first issue A good item for first time contributors to work on labels Nov 25, 2020
@NoahGorny NoahGorny mentioned this issue Nov 25, 2020
Merged
@NoahGorny
Copy link
Contributor

@xavfernandez @cdunklau-dt you are welcome to look on my PR #9163 which solves this problem 😄

This was referenced Dec 1, 2020
Closed
Closed
@Bolayniuss Bolayniuss mentioned this issue Dec 4, 2020
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Redact auth from URL in UpdatingDefaultsHelpFormatter NoahGorny/pip
3 participants
@xavfernandez @NoahGorny @cdunklau-dt