fix(ci): filter user credentials from SSH git repo URLs [backport 1.19] (#7404)

Backport a5037a7 from #7376 to 1.19.

## Motivation

While `dd-trace-py` filters user credentials such as usernames and
passwords from HTTPS git repository URLs, this does not happen with SSH
git repository URLs.

This PR aims to filter user credentials from SSH git repo URLs.

## Checklist

- [X] Change(s) are motivated and described in the PR description.
- [X] Testing strategy is described if automated tests are not included
in the PR.
- [X] Risk is outlined (performance impact, potential for breakage,
maintainability, etc).
- [X] Change is maintainable (easy to change, telemetry, documentation).
- [X] [Library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
are followed. If no release note is required, add label
`changelog/no-changelog`.
- [X] Documentation is included (in-code, generated user docs, [public
corp docs](https://github.com/DataDog/documentation/)).
- [X] Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist

- [x] Title is accurate.
- [x] No unnecessary changes are introduced.
- [x] Description motivates each change.
- [x] Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes unless absolutely necessary.
- [x] Testing strategy adequately addresses listed risk(s).
- [x] Change is maintainable (easy to change, telemetry, documentation).
- [x] Release note makes sense to a user of the library.
- [x] Reviewer has explicitly acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment.
- [x] Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
- [x] If this PR touches code that signs or publishes builds or
packages, or handles credentials of any kind, I've requested a review
from `@DataDog/security-design-and-guidance`.
- [x] This PR doesn't touch any of that.

Co-authored-by: Eric Navarro <[email protected]>

Author: github-actions[bot]

ddtrace/ext/ci.py

@@ -72,7 +72,7 @@
 # CI Visibility env vars used for pipeline correlation ID
 _CI_ENV_VARS = "_dd.ci.env_vars"
 
-_RE_URL = re.compile(r"(https?://)[^/]*@")
+_RE_URL = re.compile(r"(https?://|ssh://)[^/]*@")
 
 
 log = get_logger(__name__)

releasenotes/notes/filter-sensititive-ssh-git-repo-url-cc4ca37227b4e602.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    CI: fixes an issue which prevented the library from filtering user credentials for SSH Git repository URLs
+

tests/tracer/test_ci.py

@@ -9,6 +9,7 @@
 
 from ddtrace.ext import ci
 from ddtrace.ext import git
+from ddtrace.ext.ci import _filter_sensitive_info
 from tests import utils
 
 
@@ -72,6 +73,32 @@ def test_git_extract_repository_url(git_repo):
     assert git.extract_repository_url(cwd=git_repo) == expected_repository_url
 
 
+def test_git_filter_repository_url_valid():
+    """Make sure that valid git repository urls are not filtered."""
+    valid_url_1 = "https://github.com/DataDog/dd-trace-py.git"
+    valid_url_2 = "[email protected]:DataDog/dd-trace-py.git"
+    valid_url_3 = "ssh://github.com/Datadog/dd-trace-py.git"
+
+    assert _filter_sensitive_info(valid_url_1) == valid_url_1
+    assert _filter_sensitive_info(valid_url_2) == valid_url_2
+    assert _filter_sensitive_info(valid_url_3) == valid_url_3
+
+
+def test_git_filter_repository_url_invalid():
+    """Make sure that valid git repository urls are not filtered."""
+    invalid_url_1 = "https://username:[email protected]/DataDog/dd-trace-py.git"
+    invalid_url_2 = "https://[email protected]/DataDog/dd-trace-py.git"
+
+    invalid_url_3 = "ssh://username:[email protected]/DataDog/dd-trace-py.git"
+    invalid_url_4 = "ssh://[email protected]/DataDog/dd-trace-py.git"
+
+    assert _filter_sensitive_info(invalid_url_1) == "https://github.com/DataDog/dd-trace-py.git"
+    assert _filter_sensitive_info(invalid_url_2) == "https://github.com/DataDog/dd-trace-py.git"
+
+    assert _filter_sensitive_info(invalid_url_3) == "ssh://github.com/DataDog/dd-trace-py.git"
+    assert _filter_sensitive_info(invalid_url_4) == "ssh://github.com/DataDog/dd-trace-py.git"
+
+
 def test_git_extract_repository_url_error(git_repo_empty):
     """On error, the repository url tag should not be extracted, and should internally raise an error."""
     with pytest.raises(ValueError):