ruby-changes:67483
From: Daniel <ko1@a...>
Date: Tue, 31 Aug 2021 19:08:07 +0900 (JST)
Subject: [ruby-changes:67483] 31c2e6c08e (master): [rubygems/rubygems] Using `Gem::PrintableUri` in `Gem::Commands::InstallCommand` class
https://git.ruby-lang.org/ruby.git/commit/?id=31c2e6c08e From 31c2e6c08eccf77ec24126b9c77a910a4e543293 Mon Sep 17 00:00:00 2001 From: Daniel Niknam <mhmd.niknam@g...> Date: Sun, 22 Aug 2021 01:33:21 +1000 Subject: [rubygems/rubygems] Using `Gem::PrintableUri` in `Gem::Commands::InstallCommand` class The `x.source.uri` could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it. https://github.com/rubygems/rubygems/commit/8755ee0aaa --- lib/rubygems/commands/install_command.rb | 4 +++- test/rubygems/test_gem_commands_install_command.rb | 25 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/rubygems/commands/install_command.rb b/lib/rubygems/commands/install_command.rb index 92430ea..ee50cba 100644 --- a/lib/rubygems/commands/install_command.rb +++ b/lib/rubygems/commands/install_command.rb @@ -5,6 +5,7 @@ require_relative '../dependency_installer' https://github.com/ruby/ruby/blob/trunk/lib/rubygems/commands/install_command.rb#L5 require_relative '../local_remote_options' require_relative '../validator' require_relative '../version_option' +require_relative '../printable_uri' ## # Gem installer command line tool @@ -260,7 +261,8 @@ You can use `i` command instead of `install`. https://github.com/ruby/ruby/blob/trunk/lib/rubygems/commands/install_command.rb#L261 errors.each do |x| return unless Gem::SourceFetchProblem === x - msg = "Unable to pull data from '#{x.source.uri}': #{x.error.message}" + printable_uri = Gem::PrintableUri.parse_uri(x.source.uri.clone) + msg = "Unable to pull data from '#{printable_uri}': #{x.error.message}" alert_warning msg end diff --git a/test/rubygems/test_gem_commands_install_command.rb b/test/rubygems/test_gem_commands_install_command.rb index 48ac040..5351809 100644 --- a/test/rubygems/test_gem_commands_install_command.rb +++ b/test/rubygems/test_gem_commands_install_command.rb @@ -1067,6 +1067,31 @@ ERROR: Possible alternatives: non_existent_with_hint https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_commands_install_command.rb#L1067 assert_equal x, e end + def test_redact_credentials_from_uri_on_warning + spec_fetcher do |fetcher| + fetcher.download 'a', 2 + end + + Gem.sources << "http://username:SECURE_TOKEN@n..." + + @cmd.options[:args] = %w[a] + + use_ui @ui do + assert_raise Gem::MockGemUi::SystemExitException, @ui.error do + @cmd.execute + end + end + + assert_equal %w[a-2], @cmd.installed_specs.map {|spec| spec.full_name } + + assert_match "1 gem installed", @ui.output + + e = @ui.error + + x = "WARNING: Unable to pull data from 'http://username:REDACTED@n...': no data for http://username:REDACTED@n.../specs.4.8.gz (http://username:REDACTED@n.../specs.4.8.gz)\n" + assert_equal x, e + end + def test_execute_uses_from_a_gemdeps spec_fetcher do |fetcher| fetcher.gem 'a', 2 -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/