ruby-changes:67477
From: Daniel <ko1@a...>
Date: Tue, 31 Aug 2021 19:07:56 +0900 (JST)
Subject: [ruby-changes:67477] 19e1d3cdce (master): [rubygems/rubygems] Using `Gem::PrintableUri` in `Gem::Request` class
https://git.ruby-lang.org/ruby.git/commit/?id=19e1d3cdce From 19e1d3cdce96b9e58a0947b6fcbabd6da06cbd11 Mon Sep 17 00:00:00 2001 From: Daniel Niknam <mhmd.niknam@g...> Date: Sun, 22 Aug 2021 01:37:32 +1000 Subject: [rubygems/rubygems] Using `Gem::PrintableUri` in `Gem::Request` class The `@uri` variable could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it when logging on verbose mode. https://github.com/rubygems/rubygems/commit/f566787211 --- lib/rubygems/request.rb | 3 ++- test/rubygems/test_gem_request.rb | 34 ++++++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/lib/rubygems/request.rb b/lib/rubygems/request.rb index 16a368e..fdc4c55 100644 --- a/lib/rubygems/request.rb +++ b/lib/rubygems/request.rb @@ -184,6 +184,7 @@ class Gem::Request https://github.com/ruby/ruby/blob/trunk/lib/rubygems/request.rb#L184 def perform_request(request) # :nodoc: connection = connection_for @uri + uri = Gem::PrintableUri.parse_uri(@uri) retried = false bad_response = false @@ -191,7 +192,7 @@ class Gem::Request https://github.com/ruby/ruby/blob/trunk/lib/rubygems/request.rb#L192 begin @requests[connection.object_id] += 1 - verbose "#{request.method} #{@uri}" + verbose "#{request.method} #{uri}" file_name = File.basename(@uri.path) # perform download progress reporter only for gems diff --git a/test/rubygems/test_gem_request.rb b/test/rubygems/test_gem_request.rb index 780150d..0c370c8 100644 --- a/test/rubygems/test_gem_request.rb +++ b/test/rubygems/test_gem_request.rb @@ -197,27 +197,53 @@ class TestGemRequest < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_request.rb#L197 end def test_fetch_basic_auth + Gem.configuration.verbose = :really uri = URI.parse "https://user:pass@e.../specs.#{Gem.marshal_version}" conn = util_stub_net_http(:body => :junk, :code => 200) do |c| - @request = make_request(uri, Net::HTTP::Get, nil, nil) - @request.fetch + use_ui @ui do + @request = make_request(uri, Net::HTTP::Get, nil, nil) + @request.fetch + end c end auth_header = conn.payload['Authorization'] assert_equal "Basic #{Base64.encode64('user:pass')}".strip, auth_header + assert_includes @ui.output, "GET https://user:REDACTED@e.../specs.#{Gem.marshal_version}" end def test_fetch_basic_auth_encoded + Gem.configuration.verbose = :really uri = URI.parse "https://user:%7BDEScede%7Dpass@e.../specs.#{Gem.marshal_version}" + conn = util_stub_net_http(:body => :junk, :code => 200) do |c| - @request = make_request(uri, Net::HTTP::Get, nil, nil) - @request.fetch + use_ui @ui do + @request = make_request(uri, Net::HTTP::Get, nil, nil) + @request.fetch + end c end auth_header = conn.payload['Authorization'] assert_equal "Basic #{Base64.encode64('user:{DEScede}pass')}".strip, auth_header + assert_includes @ui.output, "GET https://user:REDACTED@e.../specs.#{Gem.marshal_version}" + end + + def test_fetch_basic_oauth_encoded + Gem.configuration.verbose = :really + uri = URI.parse "https://%7BDEScede%7Dpass:x-oauth-basic@e.../specs.#{Gem.marshal_version}" + + conn = util_stub_net_http(:body => :junk, :code => 200) do |c| + use_ui @ui do + @request = make_request(uri, Net::HTTP::Get, nil, nil) + @request.fetch + end + c + end + + auth_header = conn.payload['Authorization'] + assert_equal "Basic #{Base64.encode64('{DEScede}pass:x-oauth-basic')}".strip, auth_header + assert_includes @ui.output, "GET https://REDACTED:x-oauth-basic@e.../specs.#{Gem.marshal_version}" end def test_fetch_head -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/