Merge pull request #8194 from chrisroberts/fix/curl-credentials
Scrub credentials from box URLs
This commit is contained in:
commit
ccdccf06b5
|
@ -168,12 +168,15 @@ module Vagrant
|
|||
url = url[0]
|
||||
end
|
||||
|
||||
display_original_url = Util::CredentialScrubber.scrub(Array(original_url).first)
|
||||
display_url = Util::CredentialScrubber.scrub(url)
|
||||
|
||||
env[:ui].output(I18n.t(
|
||||
"vagrant.box_loading_metadata",
|
||||
name: Array(original_url).first))
|
||||
name: display_original_url))
|
||||
if original_url != url
|
||||
env[:ui].detail(I18n.t(
|
||||
"vagrant.box_expanding_url", url: url))
|
||||
"vagrant.box_expanding_url", url: display_url))
|
||||
end
|
||||
|
||||
metadata = nil
|
||||
|
@ -189,8 +192,8 @@ module Vagrant
|
|||
raise if !expanded
|
||||
raise Errors::BoxAddShortNotFound,
|
||||
error: e.extra_data[:message],
|
||||
name: original_url,
|
||||
url: url
|
||||
name: display_original_url,
|
||||
url: display_url
|
||||
ensure
|
||||
metadata_path.delete if metadata_path && metadata_path.file?
|
||||
end
|
||||
|
@ -208,12 +211,12 @@ module Vagrant
|
|||
raise Errors::BoxAddNoMatchingProvider,
|
||||
name: metadata.name,
|
||||
requested: provider,
|
||||
url: url
|
||||
url: display_url
|
||||
else
|
||||
raise Errors::BoxAddNoMatchingVersion,
|
||||
constraints: version || ">= 0",
|
||||
name: metadata.name,
|
||||
url: url,
|
||||
url: display_url,
|
||||
versions: metadata.versions.join(", ")
|
||||
end
|
||||
end
|
||||
|
@ -265,7 +268,7 @@ module Vagrant
|
|||
raise "Bad box authentication hook, did not generate proper results."
|
||||
end
|
||||
provider_url = authed_urls[0]
|
||||
end
|
||||
end
|
||||
|
||||
box_add(
|
||||
[[provider_url, metadata_provider.url]],
|
||||
|
@ -429,6 +432,7 @@ module Vagrant
|
|||
if opts[:ui]
|
||||
show_url = opts[:show_url]
|
||||
show_url ||= url
|
||||
display_url = Util::CredentialScrubber.scrub(show_url)
|
||||
|
||||
translation = "vagrant.box_downloading"
|
||||
|
||||
|
@ -439,7 +443,7 @@ module Vagrant
|
|||
|
||||
env[:ui].detail(I18n.t(
|
||||
translation,
|
||||
url: show_url))
|
||||
url: display_url))
|
||||
if File.file?(d.destination)
|
||||
env[:ui].info(I18n.t("vagrant.actions.box.download.resuming"))
|
||||
end
|
||||
|
|
|
@ -2,6 +2,7 @@ module Vagrant
|
|||
module Util
|
||||
autoload :Busy, 'vagrant/util/busy'
|
||||
autoload :Counter, 'vagrant/util/counter'
|
||||
autoload :CredentialScrubber, 'vagrant/util/credential_scrubber'
|
||||
autoload :Env, 'vagrant/util/env'
|
||||
autoload :HashWithIndifferentAccess, 'vagrant/util/hash_with_indifferent_access'
|
||||
autoload :Platform, 'vagrant/util/platform'
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
module Vagrant
|
||||
module Util
|
||||
# Utility class to remove credential information from strings
|
||||
class CredentialScrubber
|
||||
# String used to replace credential information
|
||||
REPLACEMENT_TEXT = "*****".freeze
|
||||
|
||||
# Attempt to remove detected credentials from string
|
||||
#
|
||||
# @param [String] string
|
||||
# @return [String]
|
||||
def self.scrub(string)
|
||||
string = url_scrubber(string)
|
||||
end
|
||||
|
||||
# Detect URLs and remove any embedded credentials
|
||||
#
|
||||
# @param [String] string
|
||||
# @return [String]
|
||||
def self.url_scrubber(string)
|
||||
string.gsub(%r{(ftp|https?)://[^\s]+@[^\s]+}) do |address|
|
||||
uri = URI.parse(address)
|
||||
uri.user = uri.password = REPLACEMENT_TEXT
|
||||
uri.to_s
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -279,6 +279,33 @@ describe Vagrant::Action::Builtin::BoxAdd, :skip_windows do
|
|||
|
||||
subject.call(env)
|
||||
end
|
||||
|
||||
context "with URL containing credentials" do
|
||||
let(:username){ "box-username" }
|
||||
let(:password){ "box-password" }
|
||||
|
||||
it "scrubs credentials in output" do
|
||||
box_path = iso_env.box2_file(:virtualbox)
|
||||
with_web_server(box_path) do |port|
|
||||
env[:box_name] = "foo"
|
||||
env[:box_url] = "http://#{username}:#{password}@127.0.0.1:#{port}/#{box_path.basename}"
|
||||
|
||||
expect(box_collection).to receive(:add).with { |path, name, version, **opts|
|
||||
expect(checksum(path)).to eq(checksum(box_path))
|
||||
expect(name).to eq("foo")
|
||||
expect(version).to eq("0")
|
||||
expect(opts[:metadata_url]).to be_nil
|
||||
true
|
||||
}.and_return(box)
|
||||
|
||||
allow(env[:ui]).to receive(:detail)
|
||||
expect(env[:ui]).to receive(:detail).with(%r{.*http://(?!#{username}).+?:(?!#{password}).+?@127\.0\.0\.1:#{port}/#{box_path.basename}.*})
|
||||
expect(app).to receive(:call).with(env)
|
||||
|
||||
subject.call(env)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "with box metadata" do
|
||||
|
|
Loading…
Reference in New Issue