Add more test and remove password also from error logs

mickours · mickours · commit 50cbafc690e5 · 2021-03-15T18:48:34.000+01:00
diff --git a/git/cmd.py b/git/cmd.py
@@ -82,8 +82,8 @@ def pump_stream(cmdline, name, stream, is_decode, handler):
                         line = line.decode(defenc)
                     handler(line)
         except Exception as ex:
-            log.error("Pumping %r of cmd(%s) failed due to: %r", name, cmdline, ex)
-            raise CommandError(['<%s-pump>' % name] + cmdline, ex) from ex
+            log.error("Pumping %r of cmd(%s) failed due to: %r", name, remove_password_if_present(cmdline), ex)
+            raise CommandError(['<%s-pump>' % name] + remove_password_if_present(cmdline), ex) from ex
         finally:
             stream.close()
 
diff --git a/git/util.py b/git/util.py
@@ -343,13 +343,13 @@ def expand_path(p, expand_vars=True):
 def remove_password_if_present(cmdline):
     """
     Parse any command line argument and if on of the element is an URL with a
-    password, replace it by stars.  If nothing found just returns a copy of the
-    command line as-is.
+    password, replace it by stars (in-place).
+
+    If nothing found just returns the command line as-is.
 
     This should be used for every log line that print a command line.
     """
-    redacted_cmdline = []
-    for to_parse in cmdline:
+    for index, to_parse in enumerate(cmdline):
         try:
             url = urlsplit(to_parse)
             # Remove password from the URL if present
@@ -358,12 +358,11 @@ def remove_password_if_present(cmdline):
 
             edited_url = url._replace(
                 netloc=url.netloc.replace(url.password, "*****"))
-            redacted_cmdline.append(urlunsplit(edited_url))
+            cmdline[index] = urlunsplit(edited_url)
         except ValueError:
-            redacted_cmdline.append(to_parse)
             # This is not a valid URL
             pass
-    return redacted_cmdline
+    return cmdline
 
 
 #} END utilities
diff --git a/test/test_util.py b/test/test_util.py
@@ -30,7 +30,8 @@
     Actor,
     IterableList,
     cygpath,
-    decygpath
+    decygpath,
+    remove_password_if_present,
 )
 
 
@@ -322,3 +323,17 @@ def test_pickle_tzoffset(self):
         t2 = pickle.loads(pickle.dumps(t1))
         self.assertEqual(t1._offset, t2._offset)
         self.assertEqual(t1._name, t2._name)
+
+    def test_remove_password_from_command_line(self):
+        """Check that the password is not printed on the logs"""
+        password = "fakepassword1234"
+        url_with_pass = "https://fakeuser:{}@fakerepo.example.com/testrepo".format(password)
+        url_without_pass = "https://fakerepo.example.com/testrepo"
+
+        cmd_1 = ["git", "clone", "-v", url_with_pass]
+        cmd_2 = ["git", "clone", "-v", url_without_pass]
+        cmd_3 = ["no", "url", "in", "this", "one"]
+
+        assert password not in remove_password_if_present(cmd_1)
+        assert cmd_2 == remove_password_if_present(cmd_2)
+        assert cmd_3 == remove_password_if_present(cmd_3)
