1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[rubygems/rubygems] Fix gemfury credentials getting written to logs in verbose mode

Browse Source 
https://github.com/rubygems/rubygems/commit/585a6a89d4
This commit is contained in:
David Rodríguez 2024-11-21 18:16:19 +01:00 committed by git
parent eb87147bda
commit e1de5a6e3b
3 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/bundler/uri_credentials_filter.rb
View File

@ -16,7 +16,7 @@ module Bundler
if uri.userinfo
# oauth authentication
if uri.password == "x-oauth-basic" || uri.password == "x"
if uri.password == "x-oauth-basic" || uri.password == "x" || uri.password.nil?
# URI as string does not display with password if no user is set
oauth_designation = uri.password
uri.user = oauth_designation

16
spec/bundler/bundler/fetcher/downloader_spec.rb
View File

@ -154,35 +154,39 @@ RSpec.describe Bundler::Fetcher::Downloader do
context "that contains cgi escaped characters" do
let(:uri) { Gem::URI("http://username:password%24@www.uri-to-fetch.com/api/v2/endpoint") }
it "should request basic authentication with the username and password" do
it "should request basic authentication with the username and password, and log the HTTP GET request to debug, without the password" do
expect(net_http_get).to receive(:basic_auth).with("username", "password$")
expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://username@www.uri-to-fetch.com/api/v2/endpoint")
subject.request(uri, options)
end
end
context "that is all unescaped characters" do
let(:uri) { Gem::URI("http://username:password@www.uri-to-fetch.com/api/v2/endpoint") }
it "should request basic authentication with the username and proper cgi compliant password" do
it "should request basic authentication with the username and proper cgi compliant password, and log the HTTP GET request to debug, without the password" do
expect(net_http_get).to receive(:basic_auth).with("username", "password")
expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://username@www.uri-to-fetch.com/api/v2/endpoint")
subject.request(uri, options)
end
end
end
context "and there is no password provided" do
context "and it's used as the authentication token" do
let(:uri) { Gem::URI("http://username@www.uri-to-fetch.com/api/v2/endpoint") }
it "should request basic authentication with just the user" do
it "should request basic authentication with just the user, and log the HTTP GET request to debug, without the token" do
expect(net_http_get).to receive(:basic_auth).with("username", nil)
expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://www.uri-to-fetch.com/api/v2/endpoint")
subject.request(uri, options)
end
end
context "that contains cgi escaped characters" do
context "and it's used as the authentication token, and contains cgi escaped characters" do
let(:uri) { Gem::URI("http://username%24@www.uri-to-fetch.com/api/v2/endpoint") }
it "should request basic authentication with the proper cgi compliant password user" do
it "should request basic authentication with the proper cgi compliant password user, and log the HTTP GET request to debug, without the token" do
expect(net_http_get).to receive(:basic_auth).with("username$", nil)
expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://www.uri-to-fetch.com/api/v2/endpoint")
subject.request(uri, options)
end
end

10
spec/bundler/bundler/uri_credentials_filter_spec.rb
View File

@ -31,6 +31,16 @@ RSpec.describe Bundler::URICredentialsFilter do
it_behaves_like "original type of uri is maintained"
end
context "specified without empty username" do
let(:credentials) { "oauth_token@" }
it "returns the uri without the oauth token" do
expect(subject.credential_filtered_uri(uri).to_s).to eq(Gem::URI("https://github.com/company/private-repo").to_s)
end
it_behaves_like "original type of uri is maintained"
end
end
context "authentication using login credentials" do