diff options
| author | The Bundler Bot <bot@bundler.io> | 2018-04-17 11:53:55 +0000 |
|---|---|---|
| committer | Colby Swandale <me@colby.fyi> | 2018-04-20 10:28:36 +1000 |
| commit | 21fe7d372e01f76aa73751487755ce2fa67d8635 (patch) | |
| tree | 72ad8bd8aa9a6ee5efaad06a33851dd4d34351e4 | |
| parent | 27626e791546c9f33f81abb524f0a8b76e10f036 (diff) | |
| download | bundler-21fe7d372e01f76aa73751487755ce2fa67d8635.tar.gz | |
Auto merge of #6490 - bundler:segiddins/6489-filter-git-creds-using-message, r=colby-swandale
Filter git uri credentials in source description
### What was the end-user problem that led to this PR?
The problem was HTTP basic auth credentials were leaking into Bundler's output when used in git sources
### What was your diagnosis of the problem?
My diagnosis was we needed to filter credentials in `Git#to_s`
### Why did you choose this fix out of the possible options?
I chose this fix because it doesn't require updating every place that uses `Source#to_s`, and is symmetric with what the rubygems source does to filter creds
(cherry picked from commit 822d5b278ecdae70912fe75517cf3cbdb1d53649)
| -rw-r--r-- | lib/bundler/source/git.rb | 3 | ||||
| -rw-r--r-- | spec/bundler/source/git_spec.rb | 28 |
2 files changed, 30 insertions, 1 deletions
diff --git a/lib/bundler/source/git.rb b/lib/bundler/source/git.rb index a1a59ddce5..0b00608bdd 100644 --- a/lib/bundler/source/git.rb +++ b/lib/bundler/source/git.rb @@ -21,6 +21,7 @@ module Bundler %w[ref branch tag revision].each {|k| options[k] = options[k].to_s if options[k] } @uri = options["uri"] || "" + @safe_uri = URICredentialsFilter.credential_filtered_uri(@uri) @branch = options["branch"] @ref = options["ref"] || options["branch"] || options["tag"] || "master" @submodules = options["submodules"] @@ -77,7 +78,7 @@ module Bundler nil end - "#{uri} (at #{at}#{rev})" + "#{@safe_uri} (at #{at}#{rev})" end def name diff --git a/spec/bundler/source/git_spec.rb b/spec/bundler/source/git_spec.rb new file mode 100644 index 0000000000..f7475a35aa --- /dev/null +++ b/spec/bundler/source/git_spec.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +RSpec.describe Bundler::Source::Git do + before do + allow(Bundler).to receive(:root) { Pathname.new("root") } + end + + let(:uri) { "https://github.com/foo/bar.git" } + let(:options) do + { "uri" => uri } + end + + subject { described_class.new(options) } + + describe "#to_s" do + it "returns a description" do + expect(subject.to_s).to eq "https://github.com/foo/bar.git (at master)" + end + + context "when the URI contains credentials" do + let(:uri) { "https://my-secret-token:x-oauth-basic@github.com/foo/bar.git" } + + it "filters credentials" do + expect(subject.to_s).to eq "https://x-oauth-basic@github.com/foo/bar.git (at master)" + end + end + end +end |