Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redact URL to hide password #6295

Merged
merged 10 commits into from
Mar 1, 2019
Merged

Redact URL to hide password #6295

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
00b872f
Redact URL to hide password
expobrain Feb 23, 2019
34b123d
Use already existent utility function ot hide password
expobrain Feb 24, 2019
5c232bc
Updated unit test
expobrain Feb 24, 2019
ddb7320
Pass index url straight to the command
expobrain Feb 24, 2019
70dee95
Moved test into unit
expobrain Feb 25, 2019
c33535b
Use caplog instead of mock
expobrain Feb 27, 2019
1214941
Added NEWS file
expobrain Feb 27, 2019
5bfb47c
Improved unit test
expobrain Feb 28, 2019
137a7ab
Better unit test comment
expobrain Mar 1, 2019
b37ad3f
Better NEWS files content
expobrain Mar 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions news/6295.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Redacts the URL of the extra index when `pip -v` to hide the user's password
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the URL isn't being removed but only the password, it would be better to say something like, "Redact the password from the extra index URL when using pip -v." Also, you want to use double backticks before and after "pip -v" rather than single, and end the sentence with a period.

Copy link
Contributor Author

@expobrain expobrain Mar 1, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean like ``pip -v``?

Copy link
Member

@cjerdonek cjerdonek Mar 1, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah. I couldn't get it to render in GitHub's viewer when I first tried. The reason for double is because the contents are reStructuredText and not, say, Markdown: https://pip.pypa.io/en/stable/development/contributing/#contents-of-a-news-entry

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used a backslash before the backtick to escape it and let Markdown ignore it

2 changes: 1 addition & 1 deletion src/pip/_internal/index.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ def _get_html_response(url, session):
if _is_url_like_archive(url):
_ensure_html_response(url, session=session)

logger.debug('Getting page %s', url)
logger.debug('Getting page %s', redact_password_from_url(url))

resp = session.get(
url,
Expand Down
28 changes: 28 additions & 0 deletions tests/unit/test_index_html_page.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,34 @@ def test_get_html_response_no_head(url):
]


def test_get_html_response_dont_log_clear_text_password(caplog):
"""
`_get_html_response()` shouldn't log the full index's URL includoing the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo: including

Also, this could be a little clearer. How about: "_get_html_response() should redact the password from the index URL in its DEBUG log message."

user's password in clear text on DEBUG channel but only the redacted URL
"""
session = mock.Mock(PipSession)

# Mock the headers dict to ensure it is accessed.
session.get.return_value = mock.Mock(headers=mock.Mock(**{
"get.return_value": "text/html",
}))

caplog.set_level(logging.DEBUG)

resp = _get_html_response(
"https://user:my_password@example.com/simple/", session=session
)

assert resp is not None

assert len(caplog.records) == 1
record = caplog.records[0]
assert record.levelname == 'DEBUG'
assert record.message.splitlines() == [
"Getting page https://user:****@example.com/simple/",
]


@pytest.mark.parametrize(
"url, vcs_scheme",
[
Expand Down