Skip to content

Commit

Permalink
fix(cli): Remove credentials from environment variables
Browse files Browse the repository at this point in the history
Do not expose any credentials, e.g. when included in proxy URLs.

Fixes #9294.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Oct 17, 2024
1 parent 64dc2c1 commit 03b4ed9
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion cli/src/main/kotlin/OrtMain.kt
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,11 @@ import org.ossreviewtoolkit.model.config.LicenseFilePatterns
import org.ossreviewtoolkit.model.config.OrtConfiguration
import org.ossreviewtoolkit.plugins.commands.api.OrtCommand
import org.ossreviewtoolkit.utils.common.EnvironmentVariableFilter
import org.ossreviewtoolkit.utils.common.MaskedString
import org.ossreviewtoolkit.utils.common.Os
import org.ossreviewtoolkit.utils.common.expandTilde
import org.ossreviewtoolkit.utils.common.mebibytes
import org.ossreviewtoolkit.utils.common.replaceCredentialsInUri
import org.ossreviewtoolkit.utils.ort.Environment
import org.ossreviewtoolkit.utils.ort.ORT_CONFIG_DIR_ENV_NAME
import org.ossreviewtoolkit.utils.ort.ORT_CONFIG_FILENAME
Expand Down Expand Up @@ -208,7 +210,8 @@ class OrtMain : CliktCommand(ORT_NAME) {
ORT_DATA_DIR_ENV_NAME to ortDataDirectory.path,
*env.variables.toList().toTypedArray()
).mapTo(content) { (key, value) ->
"${Theme.Default.info(key)} = ${Theme.Default.warning(value)}"
val safeValue = value.replaceCredentialsInUri(MaskedString.DEFAULT_MASK)
"${Theme.Default.info(key)} = ${Theme.Default.warning(safeValue)}"
}

cell(content.joinToString("\n")) { columnSpan = 2 }
Expand Down

0 comments on commit 03b4ed9

Please sign in to comment.