Merge pull request #8194 from chrisroberts/fix/curl-credentials

Scrub credentials from box URLs
This commit is contained in:
Chris Roberts 2017-02-23 13:51:47 -08:00 committed by GitHub
commit ccdccf06b5
4 changed files with 69 additions and 8 deletions

View File

@ -168,12 +168,15 @@ module Vagrant
url = url[0]
end
display_original_url = Util::CredentialScrubber.scrub(Array(original_url).first)
display_url = Util::CredentialScrubber.scrub(url)
env[:ui].output(I18n.t(
"vagrant.box_loading_metadata",
name: Array(original_url).first))
name: display_original_url))
if original_url != url
env[:ui].detail(I18n.t(
"vagrant.box_expanding_url", url: url))
"vagrant.box_expanding_url", url: display_url))
end
metadata = nil
@ -189,8 +192,8 @@ module Vagrant
raise if !expanded
raise Errors::BoxAddShortNotFound,
error: e.extra_data[:message],
name: original_url,
url: url
name: display_original_url,
url: display_url
ensure
metadata_path.delete if metadata_path && metadata_path.file?
end
@ -208,12 +211,12 @@ module Vagrant
raise Errors::BoxAddNoMatchingProvider,
name: metadata.name,
requested: provider,
url: url
url: display_url
else
raise Errors::BoxAddNoMatchingVersion,
constraints: version || ">= 0",
name: metadata.name,
url: url,
url: display_url,
versions: metadata.versions.join(", ")
end
end
@ -265,7 +268,7 @@ module Vagrant
raise "Bad box authentication hook, did not generate proper results."
end
provider_url = authed_urls[0]
end
end
box_add(
[[provider_url, metadata_provider.url]],
@ -429,6 +432,7 @@ module Vagrant
if opts[:ui]
show_url = opts[:show_url]
show_url ||= url
display_url = Util::CredentialScrubber.scrub(show_url)
translation = "vagrant.box_downloading"
@ -439,7 +443,7 @@ module Vagrant
env[:ui].detail(I18n.t(
translation,
url: show_url))
url: display_url))
if File.file?(d.destination)
env[:ui].info(I18n.t("vagrant.actions.box.download.resuming"))
end

View File

@ -2,6 +2,7 @@ module Vagrant
module Util
autoload :Busy, 'vagrant/util/busy'
autoload :Counter, 'vagrant/util/counter'
autoload :CredentialScrubber, 'vagrant/util/credential_scrubber'
autoload :Env, 'vagrant/util/env'
autoload :HashWithIndifferentAccess, 'vagrant/util/hash_with_indifferent_access'
autoload :Platform, 'vagrant/util/platform'

View File

@ -0,0 +1,29 @@
module Vagrant
module Util
# Utility class to remove credential information from strings
class CredentialScrubber
# String used to replace credential information
REPLACEMENT_TEXT = "*****".freeze
# Attempt to remove detected credentials from string
#
# @param [String] string
# @return [String]
def self.scrub(string)
string = url_scrubber(string)
end
# Detect URLs and remove any embedded credentials
#
# @param [String] string
# @return [String]
def self.url_scrubber(string)
string.gsub(%r{(ftp|https?)://[^\s]+@[^\s]+}) do |address|
uri = URI.parse(address)
uri.user = uri.password = REPLACEMENT_TEXT
uri.to_s
end
end
end
end
end

View File

@ -279,6 +279,33 @@ describe Vagrant::Action::Builtin::BoxAdd, :skip_windows do
subject.call(env)
end
context "with URL containing credentials" do
let(:username){ "box-username" }
let(:password){ "box-password" }
it "scrubs credentials in output" do
box_path = iso_env.box2_file(:virtualbox)
with_web_server(box_path) do |port|
env[:box_name] = "foo"
env[:box_url] = "http://#{username}:#{password}@127.0.0.1:#{port}/#{box_path.basename}"
expect(box_collection).to receive(:add).with { |path, name, version, **opts|
expect(checksum(path)).to eq(checksum(box_path))
expect(name).to eq("foo")
expect(version).to eq("0")
expect(opts[:metadata_url]).to be_nil
true
}.and_return(box)
allow(env[:ui]).to receive(:detail)
expect(env[:ui]).to receive(:detail).with(%r{.*http://(?!#{username}).+?:(?!#{password}).+?@127\.0\.0\.1:#{port}/#{box_path.basename}.*})
expect(app).to receive(:call).with(env)
subject.call(env)
end
end
end
end
context "with box metadata" do