Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suppressing expansion of environment variables #3138

Closed
spiderkeys opened this issue Oct 31, 2018 · 1 comment
Closed

Suppressing expansion of environment variables #3138

spiderkeys opened this issue Oct 31, 2018 · 1 comment
Labels
Category: Pip Requires pip update to address Category: Private PyPIs 😎 Problem relates to private PyPI usage.

Comments

@spiderkeys
Copy link

spiderkeys commented Oct 31, 2018
edited
Loading

Issue description

I have a private repository configured in my Pipfile, which specifies credentials via environment variables in the manner described in the pipenv user guide:

[[source]]
url = "https://${JFROG_USERNAME}:${JFROG_PASSWORD}@myorg.jfrog.io/myorg/api/pypi/myrepo/simple"
verify_ssl = true
name = "myrepo"

Upon running 'pipenv install' and a package is unable to be found at the remote index, pipenv is printing the following message with environment variables fully expanded:

No versions found
Were https://pypi.org/simple or https://XXXXX:XXXXX@myorg.jfrog.io/myorg/api/pypi/myrepo/simple reachable?

Expected result

I expected that credentials and other secrets specified via environment variables would remain unexpanded in stdout/stderr messages, such that secrets aren't leaked via CI logs when errors occur.

Steps to replicate

  • Create a pipfile that points to a remote index with credentials specified via environment variables
  • Specify a package dependency that you know to not exist
  • Run 'pipenv install'
  • Observe expansion of environment variables in error output
$ pipenv --support

Pipenv version: '2018.10.13'

Pipenv location: '/home/spiderkeys/.local/lib/python3.6/site-packages/pipenv'

Python location: '/usr/bin/python3'

Python installations found:

  • 3.7.1: /home/spiderkeys/.pyenv/versions/3.7.1/bin/python3.7
  • 3.7.1: /home/spiderkeys/.pyenv/versions/3.7.1/bin/python3.7m
  • 3.6.6: /usr/bin/python3.6
  • 3.6.6: /usr/bin/python3.6m
  • 2.7.15: /home/spiderkeys/.pyenv/versions/2.7.15/bin/python2.7
  • 2.7.15rc1: /usr/bin/python2.7

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.6.6',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '4.15.0-23-generic',
 'platform_system': 'Linux',
 'platform_version': '#25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018',
 'python_full_version': '3.6.6',
 'python_version': '3.6',
 'sys_platform': 'linux'}

System environment variables:

  • CLUTTER_IM_MODULE
  • LS_COLORS
  • LESSCLOSE
  • XDG_MENU_PREFIX
  • LANG
  • DISPLAY
  • PYENV_ROOT
  • NDDSHOME
  • OLDPWD
  • GNOME_SHELL_SESSION_MODE
  • COLORTERM
  • DESKTOP_AUTOSTART_ID
  • USERNAME
  • CHROME_DESKTOP
  • XDG_VTNR
  • SSH_AUTH_SOCK
  • MANDATORY_PATH
  • JFROG_USERNAME
  • APPLICATION_INSIGHTS_NO_DIAGNOSTIC_CHANNEL
  • XDG_SESSION_ID
  • USER
  • DESKTOP_SESSION
  • QT4_IM_MODULE
  • TEXTDOMAINDIR
  • GNOME_TERMINAL_SCREEN
  • DEFAULTS_PATH
  • PWD
  • HOME
  • TEXTDOMAIN
  • SSH_AGENT_PID
  • TERM_PROGRAM
  • TERM_PROGRAM_VERSION
  • QT_ACCESSIBILITY
  • XDG_SESSION_TYPE
  • XDG_DATA_DIRS
  • XDG_SESSION_DESKTOP
  • FIREBASE_ADMIN_KEY
  • GTK_MODULES
  • WINDOWPATH
  • TERM
  • SHELL
  • VTE_VERSION
  • QT_IM_MODULE
  • XMODIFIERS
  • IM_CONFIG_PHASE
  • XDG_CURRENT_DESKTOP
  • GPG_AGENT_INFO
  • GNOME_TERMINAL_SERVICE
  • XDG_SEAT
  • SHLVL
  • GDMSESSION
  • JFROG_PASSWORD
  • GNOME_DESKTOP_SESSION_ID
  • LOGNAME
  • DBUS_SESSION_BUS_ADDRESS
  • XDG_RUNTIME_DIR
  • XAUTHORITY
  • XDG_CONFIG_DIRS
  • PATH
  • SESSION_MANAGER
  • LESSOPEN
  • GTK_IM_MODULE
  • _
  • PYTHONDONTWRITEBYTECODE
  • PIP_SHIMS_BASE_MODULE
  • PIP_PYTHON_PATH

Pipenv–specific environment variables:

Debug–specific environment variables:

  • PATH: /home/spiderkeys/.pyenv/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
  • SHELL: /bin/bash
  • LANG: en_US.UTF-8
  • PWD: /home/spiderkeys/myorg/production/utils/test_project

Contents of Pipfile ('/home/spiderkeys/myorg/production/utils/test_project/Pipfile'):

[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"

[[source]]
url = "https://${JFROG_USERNAME}:${JFROG_PASSWORD}@myorg.jfrog.io/myorg/api/pypi/myrepo/simple"
verify_ssl = true
name = "myrepo"

[packages]
nhd220 = {version="*", index="myrepo"}

[dev-packages]

[requires]
python_version = "3.6"
@uranusjr
Copy link
Member

uranusjr commented Nov 4, 2018

I believe this is addressed in pypa/pip#5773. Keeping this open until pip releases it (likely in early 2019).

@uranusjr uranusjr added the Category: Pip Requires pip update to address label Nov 4, 2018
@matteius matteius added the Category: Private PyPIs 😎 Problem relates to private PyPI usage. label Apr 1, 2022
@matteius matteius mentioned this issue Apr 1, 2022
Merged
@matteius matteius closed this as completed Mar 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: Pip Requires pip update to address Category: Private PyPIs 😎 Problem relates to private PyPI usage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matteius @uranusjr @spiderkeys