Redact single-part login credentials from URLs. #6891
Labels
auto-locked
Outdated issues that have been locked by automation
good first issue
A good item for first time contributors to work on
type: enhancement
Improvements to functionality
type: security
Has potential security implications
Comments
triage-new-issues
bot
added
the
S: needs triage
chrahunt
added
type: enhancement
triage-new-issues
bot
removed
the
S: needs triage
|
@chrahunt Were you going to mark this "good first issue" with instructions? |
chrahunt
added
the
good first issue
|
Yes, thanks for the reminder! I have updated the issue description. |
lock
bot
added
the
auto-locked
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What's the problem this feature will solve?
Currently
pip._internals.utils.misc.redact_password_from_urldoes the following:http://hello:foo@foo.com/bar; output:http://hello:****@foo.com/barhttp://hello@foo.com/bar; output:http://hello@foo.com/barThis can be bad and still leak credentials for index servers that use a single API token for login, for example:
https://accesstoken@github.com; output:https://accesstoken@github.comDescribe the solution you'd like
When the auth portion of a URL consists of a single element, we should be redacting it.
This should require renaming
pip._internal.utils.misc.redact_password_from_urltoredact_auth_from_urland updating the behavior so that if only a username is present, then it will be redacted.Some tests that will also need to be updated:
tests.unit.test_utils.test_redact_netloctests.unit.test_utils.test_redact_password_from_urlAlternative Solutions
Additional context
This was mentioned as an issue on PR #6890.
For an example of when this single-part login is used, see #6796.
This issue is a good starting point for anyone who wants to help out with pip's development -- it's simple and the process of fixing this should be a good introduction to pip's development workflow.
The text was updated successfully, but these errors were encountered: