Redact URL to hide password #6295
Conversation
src/pip/_internal/index.py
Outdated
| @@ -155,7 +166,7 @@ def _get_html_response(url, session): | |||
| if _is_url_like_archive(url): | |||
| _ensure_html_response(url, session=session) | |||
|
|
|||
| logger.debug('Getting page %s', url) | |||
| logger.debug('Getting page %s', _redacted_url(url)) | |||
There was a problem hiding this comment.
You should use the redact_password_from_url() function which has this purpose.
There was a problem hiding this comment.
Good to know!, Fixed in the next commit
| "Getting page https://user:<pwd>@example.com/simple/initools" | ||
| in result.stdout | ||
| ) | ||
| virtualenv.clear() |
There was a problem hiding this comment.
Is this needed? If so, should it be in a finally block?
There was a problem hiding this comment.
I used test_command_line_options_override_env_vars as a template and I assumed that you need to cleanup manually. Removed.
| assert ( | ||
| "Getting page https://user:<pwd>@example.com/simple/initools" | ||
| in result.stdout | ||
| ) |
There was a problem hiding this comment.
In addition, you might as well assert that my_password is not in the output. (And I would assign my_password to a variable so that that portion of the test doesn't pass because of a typo.)
| """ | ||
| password = "my_password" | ||
|
|
||
| script.environ['PIP_INDEX_URL'] = ( |
There was a problem hiding this comment.
Why the environ options instead of passing '--index-url', 'https://user:{}@example.com/simple/'.format(password) to script.pip ?
There was a problem hiding this comment.
@xavfernandez Can you confirm if this test hits the network as written? It would be a lot better IMO if it didn't as I think such cases should be reduced to a minimum.
@expobrain It might be better to write a unit test (so in the unit directory rather than functional) of _get_html_response() to avoid hitting the network. You can look at test_get_legacy_build_wheel_path__no_names() and nearby functions for examples of using the caplog fixture (since the code wouldn't be running in a separate subprocess).
There was a problem hiding this comment.
PS - it looks like there are already a number of unit tests of that function (search for test_get_html_response_), and you can follow the examples there of mocking the session response.
There was a problem hiding this comment.
Can you confirm if this test hits the network as written? It would be a lot better IMO if it didn't as I think such cases should be reduced to a minimum.
I confirm it should (I was actually thinking about suggesting to add the network marker to the test) and I don't see a way around that for a functional test.
An unit test could indeed also remove the need for network.
There was a problem hiding this comment.
FYI, here's an example of a test failing because of flakiness due to installing INITools in the test: https://dev.azure.com/pypa/pip/_build/results?buildId=5274&view=logs&jobId=c897e773-a04c-5d18-b461-2c6584d92c5a
There was a problem hiding this comment.
@cjerdonek I've moved the test into unit, please have a look at it
|
Btw, this needs a news file: https://pip.pypa.io/en/stable/development/contributing/#news-entries |
expobrain
force-pushed
the
redact_url
branch
from
59169c2
to
a5a5369
Compare
expobrain
force-pushed
the
redact_url
branch
from
a5a5369
to
70dee95
Compare
Can I use this PR for the news file or better create a new issue? |
Thanks for asking. You can use this PR. |
tests/unit/test_index_html_page.py
Outdated
| @@ -118,6 +118,29 @@ def test_get_html_response_no_head(url): | |||
| ] | |||
|
|
|||
|
|
|||
| @mock.patch("pip._internal.index.logger") | |||
| def test_get_html_response_dont_log_clear_text_password(m_logger): | |||
There was a problem hiding this comment.
You shouldn't need to mock logging. I'll repeat my suggestion from before:
You can look at
test_get_legacy_build_wheel_path__no_names()and nearby functions for examples of using thecaplogfixture (since the code wouldn't be running in a separate subprocess).
There was a problem hiding this comment.
I forgot about it, and fixed in the next commit
expobrain
force-pushed
the
redact_url
branch
from
2c929e0
to
c33535b
Compare
tests/unit/test_index_html_page.py
Outdated
| def test_get_html_response_dont_log_clear_text_password(caplog): | ||
| """ | ||
| `_get_html_response()` shouldn't send a HEAD request if the URL does not | ||
| look like an archive, only the GET request that retrieves data. |
There was a problem hiding this comment.
Looks like this docstring was copied without updating.
tests/unit/test_index_html_page.py
Outdated
|
|
||
| caplog.set_level(logging.DEBUG) | ||
|
|
||
| resp = _get_html_response(url_template.format(password), session=session) |
There was a problem hiding this comment.
Instead of using url_template, it would be simpler and more direct just to pass https://user:[email protected]/simple/.
tests/unit/test_index_html_page.py
Outdated
| record = caplog.records[0] | ||
| assert record.levelname == 'DEBUG' | ||
| assert record.message.splitlines() == [ | ||
| "Getting page {}".format(url_template.format("****")), |
There was a problem hiding this comment.
Again, you can just check that actual string instead of using nested format strings, so "Getting page https://user:****@example.com/simple/"... (It's generally better to be more explicit in test code.)
tests/unit/test_index_html_page.py
Outdated
| look like an archive, only the GET request that retrieves data. | ||
| """ | ||
| password = "my_password" | ||
| url_template = "https://user:{}@example.com/simple/" |
There was a problem hiding this comment.
You won't need these two variables (see below).
expobrain
force-pushed
the
redact_url
branch
2 times, most recently
from
1a2af7b
to
9e13fea
Compare
news/6295.bugfix
Outdated
| @@ -0,0 +1 @@ | |||
| Redacts the URL of the extra index when `pip -v` to hide the user's password | |||
There was a problem hiding this comment.
Since the URL isn't being removed but only the password, it would be better to say something like, "Redact the password from the extra index URL when using pip -v." Also, you want to use double backticks before and after "pip -v" rather than single, and end the sentence with a period.
There was a problem hiding this comment.
Do you mean like ``pip -v``?
There was a problem hiding this comment.
Yeah. I couldn't get it to render in GitHub's viewer when I first tried. The reason for double is because the contents are reStructuredText and not, say, Markdown: https://pip.pypa.io/en/stable/development/contributing/#contents-of-a-news-entry
There was a problem hiding this comment.
I used a backslash before the backtick to escape it and let Markdown ignore it
tests/unit/test_index_html_page.py
Outdated
| @@ -118,6 +118,34 @@ def test_get_html_response_no_head(url): | |||
| ] | |||
|
|
|||
|
|
|||
| def test_get_html_response_dont_log_clear_text_password(caplog): | |||
| """ | |||
| `_get_html_response()` shouldn't log the full index's URL includoing the | |||
There was a problem hiding this comment.
Typo: including
Also, this could be a little clearer. How about: "_get_html_response() should redact the password from the index URL in its DEBUG log message."
|
Thank you for all your work on this, @expobrain! |
|
Thank you @cjerdonek too for the code review! |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
lock
bot
added
the
auto-locked
When the verbose flag is used in
pip installand in~/.pip/pip.confyou setup the access to you private registry with basic auth, i.e.extra-index-url = https://username:[email protected]/simple/, when usingpip install -vthe password is printed in clear to stdout.This PR redact the URL to hide original password.