Redact single-part login credentials from URLs. · Issue #6891 · pypa/pip (original) (raw)

What's the problem this feature will solve?

Currently pip._internals.utils.misc.redact_password_from_url does the following:

1. input: http://hello:foo@foo.com/bar; output: http://hello:****@foo.com/bar
2. input: http://hello@foo.com/bar; output: http://hello@foo.com/bar

This can be bad and still leak credentials for index servers that use a single API token for login, for example:

1. input: https://accesstoken@github.com; output: https://accesstoken@github.com

Describe the solution you'd like

When the auth portion of a URL consists of a single element, we should be redacting it.

This should require renaming pip._internal.utils.misc.redact_password_from_url to redact_auth_from_url and updating the behavior so that if only a username is present, then it will be redacted.

Some tests that will also need to be updated:

1. tests.unit.test_utils.test_redact_netloc
2. tests.unit.test_utils.test_redact_password_from_url

Alternative Solutions

1. Do nothing

Additional context

This was mentioned as an issue on PR #6890.

For an example of when this single-part login is used, see #6796.

This issue is a good starting point for anyone who wants to help out with pip's development -- it's simple and the process of fixing this should be a good introduction to pip's development workflow.