Strip credentials from ambiguous source warnings.

Fixes #3249.

6 files changed, 73 insertions, 11 deletions

diff --git a/lib/bundler.rb b/lib/bundler.rb
index 69287a3ebf..428723c082 100644
--- a/lib/bundler.rb
+++ b/lib/bundler.rb
@@ -12,6 +12,7 @@ module Bundler
   preserve_gem_path
   ORIGINAL_ENV = ENV.to_hash
 
+  autoload :AnonymizableURI,       'bundler/anonymizable_uri'
   autoload :Definition,            'bundler/definition'
   autoload :Dependency,            'bundler/dependency'
   autoload :DepProxy,              'bundler/dep_proxy'
diff --git a/lib/bundler/anonymizable_uri.rb b/lib/bundler/anonymizable_uri.rb
new file mode 100644
index 0000000000..032346fd25
--- /dev/null
+++ b/lib/bundler/anonymizable_uri.rb
@@ -0,0 +1,16 @@
+module Bundler
+  class AnonymizableURI
+    attr_reader :original_uri,
+                :without_credentials
+
+    def initialize(original_uri)
+      @original_uri = original_uri.freeze
+      @without_credentials ||=
+        if original_uri.userinfo
+          original_uri.dup.tap { |uri| uri.user = uri.password = nil }.freeze
+        else
+          original_uri
+        end
+    end
+  end
+end
diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb
index 13fbbd6497..465c7817bd 100644
--- a/lib/bundler/fetcher.rb
+++ b/lib/bundler/fetcher.rb
@@ -96,8 +96,7 @@ module Bundler
       @max_retries    = 3  # How many retries for the API call
 
       @remote_uri = Bundler::Source.mirror_for(remote_uri)
-      @public_uri = @remote_uri.dup
-      @public_uri.user, @public_uri.password = nil, nil # don't print these
+      @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup) unless @remote_uri.nil?
 
       Socket.do_not_reverse_lookup = true
       connection # create persistent connection
@@ -131,7 +130,7 @@ module Bundler
     end
 
     def uri
-      @public_uri
+      @anonymizable_uri.without_credentials unless @anonymizable_uri.nil?
     end
 
     # fetch a gem specification
@@ -186,7 +185,7 @@ module Bundler
           spec = RemoteSpecification.new(name, version, platform, self)
         end
         spec.source = source
-        spec.source_uri = @remote_uri
+        spec.source_uri = @anonymizable_uri
         index << spec
       end
 
@@ -387,6 +386,7 @@ module Bundler
       raise AuthenticationRequiredError.new(uri) if auth.nil?
 
       @remote_uri.user, @remote_uri.password = *auth.split(":", 2)
+      @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup)
       yield
     end
 
diff --git a/lib/bundler/source/rubygems.rb b/lib/bundler/source/rubygems.rb
index 044b363244..2f1d7410cc 100644
--- a/lib/bundler/source/rubygems.rb
+++ b/lib/bundler/source/rubygems.rb
@@ -83,9 +83,8 @@ module Bundler
         # by rubygems.org are broken and wrong.
         if spec.source_uri
           # Check for this spec from other sources
-          uris = [spec.source_uri]
+          uris = [spec.source_uri.without_credentials]
           uris += source_uris_for_spec(spec)
-          uris.compact!
           uris.uniq!
           Installer.ambiguous_gems << [spec.name, *uris] if uris.length > 1
 
@@ -186,14 +185,15 @@ module Bundler
         end
       end
 
-    protected
+    private
 
       def source_uris_for_spec(spec)
-        specs.search_all(spec.name).map{|s| s.source_uri }
+        specs.search_all(spec.name).inject([]) do |uris, spec|
+          uris << spec.source_uri.without_credentials if spec.source_uri
+          uris
+        end
       end
 
-    private
-
       def cached_gem(spec)
         cached_gem = cached_path(spec)
         unless cached_gem
@@ -330,7 +330,7 @@ module Bundler
 
       def fetch_gem(spec)
         return false unless spec.source_uri
-        Fetcher.download_gem_from_uri(spec, spec.source_uri)
+        Fetcher.download_gem_from_uri(spec, spec.source_uri.original_uri)
       end
 
       def builtin_gem?(spec)
diff --git a/spec/bundler/anonymizable_uri_spec.rb b/spec/bundler/anonymizable_uri_spec.rb
new file mode 100644
index 0000000000..e5d9faeb84
--- /dev/null
+++ b/spec/bundler/anonymizable_uri_spec.rb
@@ -0,0 +1,32 @@
+require 'spec_helper'
+require 'bundler/anonymizable_uri'
+
+describe Bundler::AnonymizableURI do
+  let(:anonymizable_uri) { Bundler::AnonymizableURI.new(original_uri) }
+
+  describe "#without_credentials" do
+    context "when the original URI has no credentials" do
+      let(:original_uri) { URI('https://rubygems.org') }
+
+      it "returns the original URI" do
+        expect(anonymizable_uri.without_credentials).to eq(original_uri)
+      end
+    end
+
+    context "when the original URI has a username and password" do
+      let(:original_uri) { URI("https://username:password@gems.example.com") }
+
+      it "returns the URI without username and password" do
+        expect(anonymizable_uri.without_credentials).to eq(URI("https://gems.example.com"))
+      end
+    end
+
+    context "when the original URI has only a username" do
+      let(:original_uri) { URI("https://SeCrEt-ToKeN@gem.fury.io/me/") }
+
+      it "returns the URI without username and password" do
+        expect(anonymizable_uri.without_credentials).to eq(URI("https://gem.fury.io/me/"))
+      end
+    end
+  end
+end
diff --git a/spec/install/gems/dependency_api_spec.rb b/spec/install/gems/dependency_api_spec.rb
index b8f8011f99..4749a0790a 100644
--- a/spec/install/gems/dependency_api_spec.rb
+++ b/spec/install/gems/dependency_api_spec.rb
@@ -444,6 +444,19 @@ describe "gemcutter's dependency API" do
       expect(out).not_to include("#{user}:#{password}")
     end
 
+    it "strips http basic auth creds when warning about ambiguous sources" do
+      gemfile <<-G
+        source "#{basic_auth_source_uri}"
+        source "file://#{gem_repo1}"
+        gem "rack"
+      G
+
+      bundle :install, :artifice => "endpoint_basic_authentication"
+      expect(out).to include("Warning: the gem 'rack' was found in multiple sources.")
+      expect(out).not_to include("#{user}:#{password}")
+      should_be_installed "rack 1.0.0"
+    end
+
     it "does not pass the user / password to different hosts on redirect" do
       gemfile <<-G
         source "#{basic_auth_source_uri}"