Replace password in URI by stars if present + test

mickours · mickours · commit 3a4fc6abfb3b · 2021-03-11T18:46:34.000+01:00
diff --git a/git/repo/base.py b/git/repo/base.py
@@ -969,7 +969,13 @@ def _clone(cls, git, url, path, odb_default_type, progress, multi_options=None,
             handle_process_output(proc, None, progress.new_message_handler(), finalize_process, decode_streams=False)
         else:
             (stdout, stderr) = proc.communicate()
-            log.debug("Cmd(%s)'s unused stdout: %s", getattr(proc, 'args', ''), stdout)
+            cmdline = getattr(proc, 'args', '')
+            uri = cmdline[-2]
+            if "://" in uri and "@" in uri:
+                cred = uri.split("://")[1].split("@")[0].split(":")
+                if len(cred) == 2:
+                    cmdline[-2] = uri.replace(cred[1], "******")
+            log.debug("Cmd(%s)'s unused stdout: %s", cmdline, stdout)
             finalize_process(proc, stderr=stderr)
 
         # our git command could have a different working dir than our actual
diff --git a/test/test_repo.py b/test/test_repo.py
@@ -238,6 +238,17 @@ def test_clone_from_with_path_contains_unicode(self):
             except UnicodeEncodeError:
                 self.fail('Raised UnicodeEncodeError')
 
+    @with_rw_directory
+    def test_leaking_password_in_clone_logs(self, rw_dir):
+        """Check that the password is not printed on the logs"""
+        password = "fakepassword1234"
+        try:
+            Repo.clone_from(
+                url=f"https://fakeuser:{password}@fakerepo.example.com/testrepo",
+                to_path=rw_dir)
+        except GitCommandError as err:
+            assert password not in str(err)
+
     @with_rw_repo('HEAD')
     def test_max_chunk_size(self, repo):
         class TestOutputStream(TestBase):
