From c65bd832d6529a542ad5f74d0e49d3353f8632c8 Mon Sep 17 00:00:00 2001 From: Stephan Date: Wed, 11 Aug 2021 12:24:41 +0100 Subject: [PATCH] Url: fix sanitize for new github tokens (#10048) --- src/Composer/Util/Url.php | 4 ++-- tests/Composer/Test/Util/UrlTest.php | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Composer/Util/Url.php b/src/Composer/Util/Url.php index 26cf80f9be4f..e09754e01096 100644 --- a/src/Composer/Util/Url.php +++ b/src/Composer/Util/Url.php @@ -110,8 +110,8 @@ public static function sanitize($url) $url = preg_replace('{([&?]access_token=)[^&]+}', '$1***', $url); $url = preg_replace_callback('{^(?P[a-z0-9]+://)?(?P[^:/\s@]+):(?P[^@\s/]+)@}i', function ($m) { - // if the username looks like a long (12char+) hex string, or a modern github token (e.g. gp1_xxx) we obfuscate that - if (preg_match('{^([a-f0-9]{12,}|g[a-z]\d_[a-zA-Z0-9_]+)$}', $m['user'])) { + // if the username looks like a long (12char+) hex string, or a modern github token (e.g. ghp_xxx) we obfuscate that + if (preg_match('{^([a-f0-9]{12,}|gh[a-z]_[a-zA-Z0-9_]+)$}', $m['user'])) { return $m['prefix'].'***:***@'; } diff --git a/tests/Composer/Test/Util/UrlTest.php b/tests/Composer/Test/Util/UrlTest.php index 2e40ee03efd8..5b76dc9e86ef 100644 --- a/tests/Composer/Test/Util/UrlTest.php +++ b/tests/Composer/Test/Util/UrlTest.php @@ -78,6 +78,7 @@ public static function sanitizeProvider() array('https://foo:***@example.org:123/', 'https://foo:bar@example.org:123/'), array('https://example.org/foo/bar?access_token=***', 'https://example.org/foo/bar?access_token=abcdef'), array('https://example.org/foo/bar?foo=bar&access_token=***', 'https://example.org/foo/bar?foo=bar&access_token=abcdef'), + array('https://***:***@github.com/acme/repo', 'https://ghp_1234567890abcdefghijklmnopqrstuvwxyzAB:x-oauth-basic@github.com/acme/repo'), // without scheme array('foo:***@example.org/', 'foo:bar@example.org/'), array('foo@example.org/', 'foo@example.org/'),