Merge pull request #1198 from RyaxTech/replace-password-in-uri-by-stars

Replace password in URI by stars if present to avoid leaking secrets in logs

1 files changed, 29 insertions, 0 deletions

diff --git a/git/util.py b/git/util.py
index 0f475a46..af499028 100644
--- a/git/util.py
+++ b/git/util.py
@@ -17,6 +17,7 @@ import stat
 from sys import maxsize
 import time
 from unittest import SkipTest
+from urllib.parse import urlsplit, urlunsplit
 
 # typing ---------------------------------------------------------
 
@@ -362,6 +363,34 @@ def expand_path(p: PathLike, expand_vars: bool = True) -> Optional[PathLike]:
     except Exception:
         return None
 
+
+def remove_password_if_present(cmdline):
+    """
+    Parse any command line argument and if on of the element is an URL with a
+    password, replace it by stars (in-place).
+
+    If nothing found just returns the command line as-is.
+
+    This should be used for every log line that print a command line.
+    """
+    new_cmdline = []
+    for index, to_parse in enumerate(cmdline):
+        new_cmdline.append(to_parse)
+        try:
+            url = urlsplit(to_parse)
+            # Remove password from the URL if present
+            if url.password is None:
+                continue
+
+            edited_url = url._replace(
+                netloc=url.netloc.replace(url.password, "*****"))
+            new_cmdline[index] = urlunsplit(edited_url)
+        except ValueError:
+            # This is not a valid URL
+            continue
+    return new_cmdline
+
+
 #} END utilities
 
 #{ Classes