Redact single-part login credentials from URLs. · Issue #6891 · pypa/pip (original) (raw)
What's the problem this feature will solve?
Currently pip._internals.utils.misc.redact_password_from_url
does the following:
- input:
http://hello:foo@foo.com/bar
; output:http://hello:****@foo.com/bar
- input:
http://hello@foo.com/bar
; output:http://hello@foo.com/bar
This can be bad and still leak credentials for index servers that use a single API token for login, for example:
- input:
https://accesstoken@github.com
; output:https://accesstoken@github.com
Describe the solution you'd like
When the auth portion of a URL consists of a single element, we should be redacting it.
This should require renaming pip._internal.utils.misc.redact_password_from_url
to redact_auth_from_url
and updating the behavior so that if only a username is present, then it will be redacted.
Some tests that will also need to be updated:
tests.unit.test_utils.test_redact_netloc
tests.unit.test_utils.test_redact_password_from_url
Alternative Solutions
- Do nothing
Additional context
This was mentioned as an issue on PR #6890.
For an example of when this single-part login is used, see #6796.
This issue is a good starting point for anyone who wants to help out with pip's development -- it's simple and the process of fixing this should be a good introduction to pip's development workflow.