1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[rubygems/rubygems] Using Gem::PrintableUri in Gem::Request class

Browse Source 
The `@uri` variable could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it when logging on verbose mode.

https://github.com/rubygems/rubygems/commit/f566787211
This commit is contained in:
Daniel Niknam 2021-08-22 01:37:32 +10:00 committed by Hiroshi SHIBATA
parent 31c2e6c08e
commit 19e1d3cdce
Notes: git 2021-08-31 19:06:58 +09:00 
Merged: https://github.com/ruby/ruby/pull/4789
2 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/rubygems/request.rb
View File

@ -184,6 +184,7 @@ class Gem::Request
def perform_request(request) # :nodoc: def perform_request(request) # :nodoc:
connection = connection_for @uri connection = connection_for @uri
uri = Gem::PrintableUri.parse_uri(@uri)
retried = false retried = false
bad_response = false bad_response = false
@ -191,7 +192,7 @@ class Gem::Request
begin begin
@requests[connection.object_id] += 1 @requests[connection.object_id] += 1
verbose "#{request.method} #{@uri}" verbose "#{request.method} #{uri}"
file_name = File.basename(@uri.path) file_name = File.basename(@uri.path)
# perform download progress reporter only for gems # perform download progress reporter only for gems

34
test/rubygems/test_gem_request.rb
View File

@ -197,27 +197,53 @@ class TestGemRequest < Gem::TestCase
end end
def test_fetch_basic_auth def test_fetch_basic_auth
Gem.configuration.verbose = :really
uri = URI.parse "https://user:pass@example.rubygems/specs.#{Gem.marshal_version}" uri = URI.parse "https://user:pass@example.rubygems/specs.#{Gem.marshal_version}"
conn = util_stub_net_http(:body => :junk, :code => 200) do |c| conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
@request = make_request(uri, Net::HTTP::Get, nil, nil) use_ui @ui do
@request.fetch @request = make_request(uri, Net::HTTP::Get, nil, nil)
@request.fetch
end
c c
end end
auth_header = conn.payload['Authorization'] auth_header = conn.payload['Authorization']
assert_equal "Basic #{Base64.encode64('user:pass')}".strip, auth_header assert_equal "Basic #{Base64.encode64('user:pass')}".strip, auth_header
assert_includes @ui.output, "GET https://user:REDACTED@example.rubygems/specs.#{Gem.marshal_version}"
end end
def test_fetch_basic_auth_encoded def test_fetch_basic_auth_encoded
Gem.configuration.verbose = :really
uri = URI.parse "https://user:%7BDEScede%7Dpass@example.rubygems/specs.#{Gem.marshal_version}" uri = URI.parse "https://user:%7BDEScede%7Dpass@example.rubygems/specs.#{Gem.marshal_version}"
conn = util_stub_net_http(:body => :junk, :code => 200) do |c| conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
@request = make_request(uri, Net::HTTP::Get, nil, nil) use_ui @ui do
@request.fetch @request = make_request(uri, Net::HTTP::Get, nil, nil)
@request.fetch
end
c c
end end
auth_header = conn.payload['Authorization'] auth_header = conn.payload['Authorization']
assert_equal "Basic #{Base64.encode64('user:{DEScede}pass')}".strip, auth_header assert_equal "Basic #{Base64.encode64('user:{DEScede}pass')}".strip, auth_header
assert_includes @ui.output, "GET https://user:REDACTED@example.rubygems/specs.#{Gem.marshal_version}"
end
def test_fetch_basic_oauth_encoded
Gem.configuration.verbose = :really
uri = URI.parse "https://%7BDEScede%7Dpass:x-oauth-basic@example.rubygems/specs.#{Gem.marshal_version}"
conn = util_stub_net_http(:body => :junk, :code => 200) do |c|
use_ui @ui do
@request = make_request(uri, Net::HTTP::Get, nil, nil)
@request.fetch
end
c
end
auth_header = conn.payload['Authorization']
assert_equal "Basic #{Base64.encode64('{DEScede}pass:x-oauth-basic')}".strip, auth_header
assert_includes @ui.output, "GET https://REDACTED:x-oauth-basic@example.rubygems/specs.#{Gem.marshal_version}"
end end
def test_fetch_head def test_fetch_head