Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password env variable exposed #9746

Open
1 task done
daniel-smith opened this issue Mar 30, 2021 · 2 comments
Open
1 task done

Password env variable exposed #9746

daniel-smith opened this issue Mar 30, 2021 · 2 comments
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior

Comments

@daniel-smith
Copy link

daniel-smith commented Mar 30, 2021
edited
Loading

pip version

21.0.1

Python version

3.7.10

OS

Windows & Linux

Additional information

No response

Description

When using a requirements.txt file which specifies a link to a wheel, with credentials specified as environment variables, the password is output to the console in clear text. With a requirements.txt having:

my-requirement @ http://${USER}:${PASS}@someurl.com/my-requirement.whl

Where USER and PASS are set as environment variables.

Expected behavior

Password masked in console output.

How to Reproduce

  1. Create a requirements.txt that has a requirement pointing to a specific URL with credentials specified in environment variables.
  2. Then run pip install -r requirements.txt
  3. Output shows expanded password in the "Collecting" message, but not in the "Downloading" message.

Output

Collecting my-requirement@ http://joebloggs:realpassword@someurl.com/my-requirement.whl
  Downloading http://joebloggs:****@someurl.com/my-requirement.whl (12 kB)

Code of Conduct

  • I agree to follow the PSF Code of Conduct

Looking at the code, I can see the following:

pip/src/pip/_internal/network/download.py

Lines 44 to 52 in 7ec0fa5

logged_url = redact_auth_from_url(url)
if total_length:
logged_url = '{} ({})'.format(logged_url, format_size(total_length))
if is_from_cache(resp):
logger.info("Using cached %s", logged_url)
else:
logger.info("Downloading %s", logged_url)

This code is calling a function redact_auth_from_url, but the following is not:

pip/src/pip/_internal/operations/prepare.py

Lines 335 to 351 in 7ec0fa5

def _log_preparing_link(self, req):
# type: (InstallRequirement) -> None
"""Provide context for the requirement being prepared."""
if req.link.is_file and not req.original_link_is_in_wheel_cache:
message = "Processing %s"
information = str(display_path(req.link.file_path))
else:
message = "Collecting %s"
information = str(req.req or req)
if (message, information) != self._previous_requirement_header:
self._previous_requirement_header = (message, information)
logger.info(message, information)
if req.original_link_is_in_wheel_cache:
with indent_log():
logger.info("Using cached %s", req.link.filename)

@daniel-smith daniel-smith added S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior labels Mar 30, 2021
@NoahGorny
Copy link
Contributor

I think this is a duplicate of #9709, I proposed a solution, but this will require us to fix upstream of the packaging vendor..

@ghost
Copy link

ghost commented Apr 21, 2021

This is a quite serious issue, especially in CI/CD builds. All the auth tokens are exposed when using pip install without -q.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
S: needs triage Issues/PRs that need to be triaged type: bug A confirmed bug or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daniel-smith @NoahGorny