From 92263108cce1be5eb26b3487f1581a646aa73ff8 Mon Sep 17 00:00:00 2001 From: Charlie Marsh Date: Tue, 13 Aug 2024 19:48:59 -0400 Subject: [PATCH] Redact Git credentials in lockfile (#6070) ## Summary Closes https://github.com/astral-sh/uv/issues/6055. --- crates/uv-resolver/src/lock.rs | 4 ++++ crates/uv/tests/lock.rs | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/crates/uv-resolver/src/lock.rs b/crates/uv-resolver/src/lock.rs index f94ba9f79..414e23278 100644 --- a/crates/uv-resolver/src/lock.rs +++ b/crates/uv-resolver/src/lock.rs @@ -2011,6 +2011,10 @@ impl From for GitReference { fn locked_git_url(git_dist: &GitSourceDist) -> Url { let mut url = git_dist.git.repository().clone(); + // Redact the credentials. + let _ = url.set_username(""); + let _ = url.set_password(None); + // Clear out any existing state. url.set_fragment(None); url.set_query(None); diff --git a/crates/uv/tests/lock.rs b/crates/uv/tests/lock.rs index ee4dfe315..f0ed15597 100644 --- a/crates/uv/tests/lock.rs +++ b/crates/uv/tests/lock.rs @@ -5312,7 +5312,7 @@ fn lock_redact_git() -> Result<()> { [[package]] name = "uv-private-pypackage" version = "0.1.0" - source = { git = "https://***@github.com/astral-test/uv-private-pypackage#d780faf0ac91257d4d5a4f0c5a0e4509608c0071" } + source = { git = "https://github.com/astral-test/uv-private-pypackage#d780faf0ac91257d4d5a4f0c5a0e4509608c0071" } "### ); }); @@ -5339,7 +5339,7 @@ fn lock_redact_git() -> Result<()> { Prepared 2 packages in [TIME] Installed 2 packages in [TIME] + foo==0.1.0 (from file://[TEMP_DIR]/) - + uv-private-pypackage==0.1.0 (from git+https://***@github.com/astral-test/uv-private-pypackage@d780faf0ac91257d4d5a4f0c5a0e4509608c0071) + + uv-private-pypackage==0.1.0 (from git+https://github.com/astral-test/uv-private-pypackage@d780faf0ac91257d4d5a4f0c5a0e4509608c0071) "###); Ok(())