VCS install using https credentials in env variables fails for Pipfile #6195
Labels
Category: Security
Relates to security
Contributor Candidate
The issue has been identified/triaged and contributions are welcomed/encouraged.
triage
Issue description
Trying to install a package over https, from a private AWS CodeCommit repo, on an Ubuntu system.
Instead of using git
credential.helper
, we would like to inject credentials into our Pipfile using env variables.So, in a bash terminal, we define
USERNAME
andPASSWORD
(url-encoded).Installing into an empty dir, directly from the command line, using these credentials, appears to work without issue:
pipenv install -e "git+https://${USERNAME}:${PASSWORD}@git-codecommit.eu-west-3.amazonaws.com/v1/repos/mypackage@main#egg=mypackage"
This implies that the credentials and user permissions are correct.
However, it turns out the username and password end up in both
Pipfile
andPipfile.lock
...That does not sound like a good idea.
Luckily, the docs for Injecting credentials into Pipfile via environment variables say:
However, if we try to install from a
Pipfile
into an otherwise empty dir, using the exact same url with sameUSERNAME
andPASSWORD
, we get a status403
(Forbidden
):yields
Expected result
I expect installation from
Pipfile
to work without issue, just like installation from the command line.Actual result
command line output
Steps to replicate
first
pyproject.toml
, as follows, and setup a user with git credentials (perhaps a private github repo would also work, but haven't tried that yet)USERNAME
andPASSWORD
(e.g. usingread -s
) with the corresponding values (url-encoded)pipenv install -e "git+https://${USERNAME}:${PASSWORD}@git-codecommit.eu-west-3.amazonaws.com/v1/repos/mypackage@main#egg=mypackage"
then
Pipfile
, generated above, into the new dir, and replace the actual username and password in the file by the corresponding env variables, as in:pipenv install
status 403
error$ pipenv --support
Pipenv version:
'2024.0.1'
Pipenv location:
'/home/me/.local/lib/python3.11/site-packages/pipenv'
Python location:
'/home/me/.pyenv/versions/3.11.6/bin/python3.11'
OS Name:
'posix'
User pip version:
'24.0'
user Python installations found:
PEP 508 Information:
System environment variables:
SHELL
SESSION_MANAGER
QT_ACCESSIBILITY
PIPENV_VENV_IN_PROJECT
COLORTERM
PYENV_SHELL
XDG_CONFIG_DIRS
SSH_AGENT_LAUNCHER
XDG_MENU_PREFIX
GNOME_DESKTOP_SESSION_ID
LANGUAGE
LC_ADDRESS
GNOME_SHELL_SESSION_MODE
LC_NAME
SSH_AUTH_SOCK
GIT_PS1_SHOWDIRTYSTATE
XMODIFIERS
DESKTOP_SESSION
LC_MONETARY
GTK_MODULES
PWD
LOGNAME
XDG_SESSION_DESKTOP
XDG_SESSION_TYPE
SYSTEMD_EXEC_PID
XAUTHORITY
HOME
USERNAME
IM_CONFIG_PHASE
LC_PAPER
LANG
LS_COLORS
XDG_CURRENT_DESKTOP
VTE_VERSION
WAYLAND_DISPLAY
GNOME_TERMINAL_SCREEN
GNOME_SETUP_DISPLAY
LESSCLOSE
XDG_SESSION_CLASS
TERM
LC_IDENTIFICATION
LESSOPEN
USER
GNOME_TERMINAL_SERVICE
DISPLAY
SHLVL
LC_TELEPHONE
QT_IM_MODULE
LC_MEASUREMENT
PAPERSIZE
XDG_RUNTIME_DIR
PYENV_ROOT
LC_TIME
XDG_DATA_DIRS
PATH
GDMSESSION
DBUS_SESSION_BUS_ADDRESS
LC_NUMERIC
_
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PYTHONFINDER_IGNORE_UNSUPPORTED
Pipenv–specific environment variables:
PIPENV_VENV_IN_PROJECT
:1
Debug–specific environment variables:
PATH
:/home/me/.pyenv/versions/3.9.18/bin:/home/me/.pyenv/versions/3.8.18/bin:/home/me/.pyenv/versions/3.11.6/bin:/home/me/.pyenv/versions/3.8.13/bin:/home/me/.pyenv/shims:/home/me/.npm-global/bin:/home/me/.local/bin:/home/me/.pyenv/bin:/home/me/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin
SHELL
:/bin/bash
LANG
:en_CA.UTF-8
PWD
:/home/me
The text was updated successfully, but these errors were encountered: