Add url_redact() and tests: Ensure we avoid leaking passwords or tokens

Mark Ruvald Pedersen · Mark Ruvald Pedersen · commit b204af84c1df · 2023-07-31T11:34:48.000+02:00
Artifact's commit message contains the src-repo's URL.
This URL may contain sensitive information which should be filtered out.
diff --git a/src/git_recycle_bin.py b/src/git_recycle_bin.py
@@ -6,9 +6,9 @@
 import argparse
 import subprocess
 import mimetypes
+import urllib.parse
 from itertools import takewhile
 
-import datetime
 import datetime
 import dateutil.relativedelta
 from dateutil.tz import tzlocal
@@ -115,6 +115,29 @@ def sanitize_branch_name(name: str) -> str:
     return sanitized_name
 
 
+def url_redact(url: str, replacement: str = 'REDACTED'):
+    """ Replace sensitive password/api-token from URL with a string """
+    parsed = urllib.parse.urlparse(url)
+
+    # If there is no password, return the original URL
+    if not parsed.password:
+        return url
+
+    # Redact the password/token
+    new_netloc = parsed.netloc.replace(parsed.password, replacement)
+
+    # Reconstruct the URL
+    redacted_url = urllib.parse.urlunparse((
+        parsed.scheme,
+        new_netloc,
+        parsed.path,
+        parsed.params,
+        parsed.query,
+        parsed.fragment
+    ))
+
+    return redacted_url
+
 
 def exec(command):
     printer.debug("Run:", command, file=sys.stderr)
diff --git a/tests/test_artifact.py b/tests/test_artifact.py
@@ -68,3 +68,23 @@ def test_parse_expire_datetime():
 
 def test_parse_expire_datetime_invalid():
     assert grb.parse_expire_date(prefix_discard="artifact/expire/", expiry_formatted="artifact/expire/30d/") == {"date":None, "time":None, "tzoffset":None}
+
+def test_url_redact():
+    assert grb.url_redact(url="https://foo:pass@service/my/repo.git", replacement="REDACTED") == "https://foo:REDACTED@service/my/repo.git"
+    assert grb.url_redact(url="https://foo@service/my/repo.git", replacement="REDACTED")      == "https://foo@service/my/repo.git"
+    assert grb.url_redact(url="https://service/my/repo.git", replacement="REDACTED")          == "https://service/my/repo.git"
+    assert grb.url_redact(url="https://service/my/re:po.git", replacement="REDACTED")         == "https://service/my/re:po.git"
+    assert grb.url_redact(url="https://service/my/re:po@hmm.git", replacement="REDACTED")     == "https://service/my/re:po@hmm.git"
+
+    assert grb.url_redact(url="ssh://foo:pass@service/my/repo.git", replacement="REDACTED")   == "ssh://foo:REDACTED@service/my/repo.git"
+    assert grb.url_redact(url="ssh://[foo:pass@service]/my/repo.git", replacement="REDACTED") == "ssh://[foo:REDACTED@service]/my/repo.git"
+    assert grb.url_redact(url="ssh://foo@service/my/repo.git", replacement="REDACTED")        == "ssh://foo@service/my/repo.git"
+    assert grb.url_redact(url="ssh://service/my/repo.git", replacement="REDACTED")            == "ssh://service/my/repo.git"
+    assert grb.url_redact(url="ssh://service/my/re:po.git", replacement="REDACTED")           == "ssh://service/my/re:po.git"
+    assert grb.url_redact(url="ssh://service/my/re:po@hmm.git", replacement="REDACTED")       == "ssh://service/my/re:po@hmm.git"
+
+    assert grb.url_redact(url="foo:pass@service/my/repo.git", replacement="REDACTED") == "foo:pass@service/my/repo.git"
+    assert grb.url_redact(url="foo@service/my/repo.git", replacement="REDACTED")      == "foo@service/my/repo.git"
+    assert grb.url_redact(url="service/my/repo.git", replacement="REDACTED")          == "service/my/repo.git"
+    assert grb.url_redact(url="service/my/re:po.git", replacement="REDACTED")         == "service/my/re:po.git"
+    assert grb.url_redact(url="service/my/re:po@hmm.git", replacement="REDACTED")     == "service/my/re:po@hmm.git"
