Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pip does not redact passwords when collecting git dependencies #9709

Open
1 task done
tmr232 opened this issue Mar 16, 2021 · 4 comments
Open
1 task done

Pip does not redact passwords when collecting git dependencies #9709

tmr232 opened this issue Mar 16, 2021 · 4 comments
Labels
C: direct url Direct URL references (PEP 440, PEP 508, PEP 610) C: vcs pip's interaction with version control systems like git, svn and bzr type: bug A confirmed bug or unintended behavior

Comments

@tmr232
Copy link

tmr232 commented Mar 16, 2021

pip version

21.0.1

Python version

3.7

OS

Windows 10, Ubuntu 18

Additional information

No response

Description

When installing a package with git-based dependencies with credentials, the password is displayed when printing the "Collecting" message. The rest is ok.

Expected behavior

The password in the URL is always redacted.

How to Reproduce

  1. Create a setup.py file containing the following:
from setuptools import setup

setup(
    install_requires="dependency @ git+https://user:secret-token@example.com",
)
  1. Run pip install .
  2. You can see the unredacted password ("secret-token") in the messages printed to the console.

Output

$ pip install .
Defaulting to user installation because normal site-packages is not writeable
Processing /path/to/package
Collecting dependency@ git+https://user:secret-token@example.com
  Cloning https://user:****@example.com to /tmp/pip-install-ighmw36e/dependency

Code of Conduct

  • I agree to follow the PSF Code of Conduct
@tmr232 tmr232 added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Mar 16, 2021
@uranusjr
Copy link
Member

I’m hesitant to call this a bug since if you are willing to hard-code the credentials in a setup.py (which is designed for public consumption). you should probably accept it not being secret. It’s philosophically different from credentials passed in from e.g. environment variables.

@tmr232
Copy link
Author

tmr232 commented Mar 16, 2021

The results are the same when I get the token from environment variables. I used a hardcoded version here as it requires no setup to reproduce.

In the real use-case I have code reading environment variables to generate the dependency string, but what is passed into the call to setup() is still the same.

@pradyunsg
Copy link
Member

pradyunsg commented Mar 23, 2021
edited
Loading

The results are the same when I get the token from environment variables.

Are you reading them in the setup.py file? Or somewhere else?

@pradyunsg
Copy link
Member

In the real use-case I have code reading environment variables to generate the dependency string, but what is passed into the call to setup() is still the same.

Ah, I missed this. It's probably worth fixing, so PRs are welcome.

I'm personally not inclined to look into this, so I won't be doing anything to address this.

@pradyunsg pradyunsg added C: direct url Direct URL references (PEP 440, PEP 508, PEP 610) C: vcs pip's interaction with version control systems like git, svn and bzr and removed S: needs triage Issues/PRs that need to be triaged labels Mar 23, 2021
This was referenced Mar 23, 2021
Closed
Open
@NoahGorny NoahGorny mentioned this issue Apr 5, 2021
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: direct url Direct URL references (PEP 440, PEP 508, PEP 610) C: vcs pip's interaction with version control systems like git, svn and bzr type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

vendor: packaging: Redact auth from url in str repr NoahGorny/pip
3 participants
@uranusjr @tmr232 @pradyunsg