[rubygems/rubygems] Fix private registry credentials being written to logs

samisalamiws · timon · matzbot · commit fbe35bcc825f · 2024-11-08T12:15:31.000Z
ruby/rubygems@d070fa10c1 Co-authored-by: Artem Ignatyev <zazubrik@gmail.com>
diff --git a/lib/bundler/rubygems_integration.rb b/lib/bundler/rubygems_integration.rb
@@ -393,7 +393,9 @@ def fetch_all_remote_specs(remote, gem_remote_fetcher)
     def download_gem(spec, uri, cache_dir, fetcher)
       require "rubygems/remote_fetcher"
       uri = Bundler.settings.mirror_for(uri)
-      Bundler::Retry.new("download gem from #{uri}").attempts do
+      redacted_uri = Gem::Uri.redact(uri)
+
+      Bundler::Retry.new("download gem from #{redacted_uri}").attempts do
         gem_file_name = spec.file_name
         local_gem_path = File.join cache_dir, gem_file_name
         return if File.exist? local_gem_path
@@ -415,7 +417,7 @@ def download_gem(spec, uri, cache_dir, fetcher)
         end
       end
     rescue Gem::RemoteFetcher::FetchError => e
-      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
+      raise Bundler::HTTPError, "Could not download gem from #{redacted_uri} due to underlying error <#{e.message}>"
     end
 
     def build(spec, skip_validation = false)
diff --git a/spec/bundler/bundler/rubygems_integration_spec.rb b/spec/bundler/bundler/rubygems_integration_spec.rb
@@ -32,7 +32,6 @@
 
   describe "#download_gem" do
     let(:bundler_retry) { double(Bundler::Retry) }
-    let(:uri) { Gem::URI.parse("https://foo.bar") }
     let(:cache_dir) { "#{Gem.path.first}/cache" }
     let(:spec) do
       spec = Gem::Specification.new("Foo", Gem::Version.new("2.5.2"))
@@ -41,13 +40,47 @@
     end
     let(:fetcher) { double("gem_remote_fetcher") }
 
-    it "successfully downloads gem with retries" do
-      expect(Bundler::Retry).to receive(:new).with("download gem from #{uri}/").
-        and_return(bundler_retry)
-      expect(bundler_retry).to receive(:attempts).and_yield
-      expect(fetcher).to receive(:cache_update_path)
+    context "when uri is public" do
+      let(:uri) { Gem::URI.parse("https://foo.bar") }
 
-      Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+      it "successfully downloads gem with retries" do
+        expect(Bundler::Retry).to receive(:new).with("download gem from #{uri}/").
+          and_return(bundler_retry)
+        expect(bundler_retry).to receive(:attempts).and_yield
+        expect(fetcher).to receive(:cache_update_path)
+
+        Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+      end
+    end
+
+    context "when uri contains userinfo part" do
+      let(:uri) { Gem::URI.parse("https://#{userinfo}@foo.bar") }
+
+      context "with user and password" do
+        let(:userinfo) { "user:password" }
+
+        it "successfully downloads gem with retries with filtered log" do
+          expect(Bundler::Retry).to receive(:new).with("download gem from https://user:REDACTED@foo.bar/").
+            and_return(bundler_retry)
+          expect(bundler_retry).to receive(:attempts).and_yield
+          expect(fetcher).to receive(:cache_update_path)
+
+          Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+        end
+      end
+
+      context "with token [as user]" do
+        let(:userinfo) { "token" }
+
+        it "successfully downloads gem with retries with filtered log" do
+          expect(Bundler::Retry).to receive(:new).with("download gem from https://REDACTED@foo.bar/").
+            and_return(bundler_retry)
+          expect(bundler_retry).to receive(:attempts).and_yield
+          expect(fetcher).to receive(:cache_update_path)
+
+          Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+        end
+      end
     end
   end
 
