Fix an edge case where Link.filename can leak auth information.

2019-06-22 16:34:51 -07:00 · 2019-06-22 16:34:51 -07:00 · 0ed518f0dc
parent b6077c5227
commit 0ed518f0dc
2 changed files with 27 additions and 2 deletions
--- a/src/pip/_internal/models/link.py
+++ b/src/pip/_internal/models/link.py
@ -4,7 +4,8 @@ import re
 from pip._vendor.six.moves.urllib import parse as urllib_parse

 from pip._internal.utils.misc import (
-    WHEEL_EXTENSION, path_to_url, redact_password_from_url, splitext,
+    WHEEL_EXTENSION, path_to_url, redact_password_from_url,
+    split_auth_from_netloc, splitext,
 )
 from pip._internal.utils.models import KeyBasedCompareMixin
 from pip._internal.utils.typing import MYPY_CHECK_RUNNING
@ -68,7 +69,13 @@ class Link(KeyBasedCompareMixin):
    def filename(self):
        # type: () -> str
        path = self.path.rstrip('/')
-        name = posixpath.basename(path) or self.netloc
+        name = posixpath.basename(path)
+        if not name:
+            # Make sure we don't leak auth information if the netloc
+            # includes a username and password.
+            netloc, user_pass = split_auth_from_netloc(self.netloc)
+            return netloc
+
        name = urllib_parse.unquote(name)
        assert name, ('URL %r produced no filename' % self._url)
        return name
@ -81,6 +88,9 @@ class Link(KeyBasedCompareMixin):
    @property
    def netloc(self):
        # type: () -> str
+        """
+        This can contain auth information.
+        """
        return self._parsed_url[1]

    @property
--- a/tests/unit/test_link.py
+++ b/tests/unit/test_link.py
@ -5,6 +5,16 @@ from pip._internal.models.link import Link

 class TestLink:

+    @pytest.mark.parametrize('url, expected', [
+        (
+            'https://user:password@example.com/path/page.html',
+            '<Link https://user:****@example.com/path/page.html>',
+        ),
+    ])
+    def test_repr(self, url, expected):
+        link = Link(url)
+        assert repr(link) == expected
+
    @pytest.mark.parametrize('url, expected', [
        ('http://yo/wheel.whl', 'wheel.whl'),
        ('http://yo/wheel', 'wheel'),
@ -20,6 +30,11 @@ class TestLink:
        ('https://example.com/path//', 'path'),
        # Test a url with no filename.
        ('https://example.com/', 'example.com'),
+        # Test a url with no filename and with auth information.
+        (
+            'https://user:password@example.com/',
+            'example.com',
+        ),
    ])
    def test_filename(self, url, expected):
        link = Link(url)