Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove username/password from log message #5339

Merged
merged 4 commits into from
May 22, 2018

Conversation

jzafran
Copy link
Contributor

@jzafran jzafran commented Apr 27, 2018

Sanitize the output of the "Looking in indexes:" log message (added in #4483) to remove the username/password for basic authentication if configured.

Currently, when using a basic authentication-protected index/repository, the username/password is printed to stdout during a pip install:

Looking in indexes: https://user:password@repo.domain.com/
Collecting requests
...

With this change, the username and password is removed from the log statement:

Looking in indexes: https://repo.domain.com/
Collecting requests
...

Fixes #5249

@@ -63,7 +63,7 @@ def export(self, location):
"""Export the svn repository at the url to the destination location"""
url, rev = self.get_url_rev()
rev_options = get_rev_options(self, url, rev)
url = self.remove_auth_from_url(url)
url = remove_auth_from_url(url)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this removes the auth information that will later be used in the command 👎

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the behavior it had prior to this patch; I think that's fine.

@@ -84,7 +84,7 @@ def update(self, dest, rev_options):
def obtain(self, dest):
url, rev = self.get_url_rev()
rev_options = get_rev_options(self, url, rev)
url = self.remove_auth_from_url(url)
url = remove_auth_from_url(url)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dito here

@pradyunsg pradyunsg added the S: needs triage Issues/PRs that need to be triaged label May 11, 2018
@pradyunsg
Copy link
Member

Needs a NEWS fragment.

@pradyunsg pradyunsg added S: awaiting response Waiting for a response/more information T: bugfix and removed S: needs triage Issues/PRs that need to be triaged labels May 13, 2018
@pradyunsg
Copy link
Member

Thanks for this PR @jzafran! Could you update this PR by adding a news entry as per https://pip.pypa.io/en/latest/development/#adding-a-news-entry?

@pradyunsg pradyunsg added S: needs triage Issues/PRs that need to be triaged and removed S: awaiting response Waiting for a response/more information labels May 16, 2018
@jzafran
Copy link
Contributor Author

jzafran commented May 16, 2018

@pradyunsg all set; I added a news entry

@@ -624,3 +625,29 @@ def test_call_subprocess_works_okay_when_just_given_nothing():
def test_call_subprocess_closes_stdin():
with pytest.raises(InstallationError):
call_subprocess([sys.executable, '-c', 'input()'])


def test_remove_auth_from_url():
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you use pytest's "parameterized tests" here? (Also, maybe remove the svn naming of the URLs)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -139,3 +139,18 @@ def test_secure_origin(location, trusted, expected):
logger = MockLogger()
finder._validate_secure_origin(logger, location)
assert logger.called == expected


def test_get_formatted_locations_basic_auth():
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not for this PR but get_formatted_locations needs tests.

@jzafran jzafran closed this May 21, 2018
@jzafran jzafran reopened this May 21, 2018
@pradyunsg pradyunsg removed the S: needs triage Issues/PRs that need to be triaged label May 22, 2018
@pradyunsg pradyunsg merged commit 144b42d into pypa:master May 22, 2018
@pradyunsg
Copy link
Member

Thanks for this @jzafran! ^.^

@RemiCardona
Copy link

Sweet!

@pradyunsg pradyunsg added this to the 18.0 milestone May 22, 2018
@jzafran jzafran deleted the remove-password-from-stdout branch May 24, 2018 19:23
@lock
Copy link

lock bot commented Jun 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Jun 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
auto-locked Outdated issues that have been locked by automation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

index-url password is displayed on pip install.
5 participants