Url: fix sanitize for new github tokens (#10048)

composer · Aug 11, 2021 · c65bd83 · c65bd83
1 parent c7d11f3
commit c65bd83
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/Composer/Util/Url.php b/src/Composer/Util/Url.php
@@ -110,8 +110,8 @@ public static function sanitize($url)
         $url = preg_replace('{([&?]access_token=)[^&]+}', '$1***', $url);
 
         $url = preg_replace_callback('{^(?P<prefix>[a-z0-9]+://)?(?P<user>[^:/\s@]+):(?P<password>[^@\s/]+)@}i', function ($m) {
-            // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that
-            if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) {
+            // if the username looks like a long (12char+) hex string, or a modern github token (e.g. ghp_xxx) we obfuscate that
+            if (preg_match('{^([a-f0-9]{12,}|gh[a-z]_[a-zA-Z0-9_]+)$}', $m['user'])) {
                 return $m['prefix'].'***:***@';
             }
 

diff --git a/tests/Composer/Test/Util/UrlTest.php b/tests/Composer/Test/Util/UrlTest.php
@@ -78,6 +78,7 @@ public static function sanitizeProvider()
             array('https://foo:***@example.org:123/', 'https://foo:bar@example.org:123/'),
             array('https://example.org/foo/bar?access_token=***', 'https://example.org/foo/bar?access_token=abcdef'),
             array('https://example.org/foo/bar?foo=bar&access_token=***', 'https://example.org/foo/bar?foo=bar&access_token=abcdef'),
+            array('https://***:***@github.com/acme/repo', 'https://ghp_1234567890abcdefghijklmnopqrstuvwxyzAB:x-oauth-basic@github.com/acme/repo'),
             // without scheme
             array('foo:***@example.org/', 'foo:bar@example.org/'),
             array('foo@example.org/', 'foo@example.org/'),