From e1de5a6e3b27b8ac4b97ca8491697703ba12a41b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Rodr=C3=ADguez?= <deivid.rodriguez@riseup.net>
Date: Thu, 21 Nov 2024 18:16:19 +0100
Subject: [PATCH] [rubygems/rubygems] Fix gemfury credentials getting written
 to logs in verbose mode

https://github.com/rubygems/rubygems/commit/585a6a89d4
---
 lib/bundler/uri_credentials_filter.rb            |  2 +-
 spec/bundler/bundler/fetcher/downloader_spec.rb  | 16 ++++++++++------
 .../bundler/uri_credentials_filter_spec.rb       | 10 ++++++++++
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/lib/bundler/uri_credentials_filter.rb b/lib/bundler/uri_credentials_filter.rb
index a83f5304e2..6804187433 100644
--- a/lib/bundler/uri_credentials_filter.rb
+++ b/lib/bundler/uri_credentials_filter.rb
@@ -16,7 +16,7 @@ module Bundler
 
       if uri.userinfo
         # oauth authentication
-        if uri.password == "x-oauth-basic" || uri.password == "x"
+        if uri.password == "x-oauth-basic" || uri.password == "x" || uri.password.nil?
           # URI as string does not display with password if no user is set
           oauth_designation = uri.password
           uri.user = oauth_designation
diff --git a/spec/bundler/bundler/fetcher/downloader_spec.rb b/spec/bundler/bundler/fetcher/downloader_spec.rb
index d5c32f4730..13f8cc74aa 100644
--- a/spec/bundler/bundler/fetcher/downloader_spec.rb
+++ b/spec/bundler/bundler/fetcher/downloader_spec.rb
@@ -154,35 +154,39 @@ RSpec.describe Bundler::Fetcher::Downloader do
         context "that contains cgi escaped characters" do
           let(:uri) { Gem::URI("http://username:password%24@www.uri-to-fetch.com/api/v2/endpoint") }
 
-          it "should request basic authentication with the username and password" do
+          it "should request basic authentication with the username and password, and log the HTTP GET request to debug, without the password" do
             expect(net_http_get).to receive(:basic_auth).with("username", "password$")
+            expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://username@www.uri-to-fetch.com/api/v2/endpoint")
             subject.request(uri, options)
           end
         end
 
         context "that is all unescaped characters" do
           let(:uri) { Gem::URI("http://username:password@www.uri-to-fetch.com/api/v2/endpoint") }
-          it "should request basic authentication with the username and proper cgi compliant password" do
+          it "should request basic authentication with the username and proper cgi compliant password, and log the HTTP GET request to debug, without the password" do
             expect(net_http_get).to receive(:basic_auth).with("username", "password")
+            expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://username@www.uri-to-fetch.com/api/v2/endpoint")
             subject.request(uri, options)
           end
         end
       end
 
-      context "and there is no password provided" do
+      context "and it's used as the authentication token" do
         let(:uri) { Gem::URI("http://username@www.uri-to-fetch.com/api/v2/endpoint") }
 
-        it "should request basic authentication with just the user" do
+        it "should request basic authentication with just the user, and log the HTTP GET request to debug, without the token" do
           expect(net_http_get).to receive(:basic_auth).with("username", nil)
+          expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://www.uri-to-fetch.com/api/v2/endpoint")
           subject.request(uri, options)
         end
       end
 
-      context "that contains cgi escaped characters" do
+      context "and it's used as the authentication token, and contains cgi escaped characters" do
         let(:uri) { Gem::URI("http://username%24@www.uri-to-fetch.com/api/v2/endpoint") }
 
-        it "should request basic authentication with the proper cgi compliant password user" do
+        it "should request basic authentication with the proper cgi compliant password user, and log the HTTP GET request to debug, without the token" do
           expect(net_http_get).to receive(:basic_auth).with("username$", nil)
+          expect(Bundler).to receive_message_chain(:ui, :debug).with("HTTP GET http://www.uri-to-fetch.com/api/v2/endpoint")
           subject.request(uri, options)
         end
       end
diff --git a/spec/bundler/bundler/uri_credentials_filter_spec.rb b/spec/bundler/bundler/uri_credentials_filter_spec.rb
index ed24744a1c..641f0addb4 100644
--- a/spec/bundler/bundler/uri_credentials_filter_spec.rb
+++ b/spec/bundler/bundler/uri_credentials_filter_spec.rb
@@ -31,6 +31,16 @@ RSpec.describe Bundler::URICredentialsFilter do
 
           it_behaves_like "original type of uri is maintained"
         end
+
+        context "specified without empty username" do
+          let(:credentials) { "oauth_token@" }
+
+          it "returns the uri without the oauth token" do
+            expect(subject.credential_filtered_uri(uri).to_s).to eq(Gem::URI("https://github.com/company/private-repo").to_s)
+          end
+
+          it_behaves_like "original type of uri is maintained"
+        end
       end
 
       context "authentication using login credentials" do