rhodecode-vcsserver Commit - r106:d14c31eb

remote-clone: obfuscate also given query string paramas that RhodeCode uses. Fixes

marcink -

r106:d14c31eb default

parent child

tests/test_main.py

0 +12 0

              # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301  USA
              import mock
+             import pytest
              from vcsserver import main
+             from vcsserver.base import obfuscate_qs
              @mock.patch('vcsserver.main.VcsServerCommand', mock.Mock())
                  mock.Mock(side_effect=Exception("Must not be called")))
              def test_applies_largefiles_patch_only_if_mercurial_is_available():
                  main.main([])
+             @pytest.mark.parametrize('given, expected', [
+                 ('foo=bar', 'foo=bar'),
+                 ('auth_token=secret', 'auth_token=*****'),
+                 ('auth_token=secret&api_key=secret2', 'auth_token=*****&api_key=*****'),
+                 ('auth_token=secret&api_key=secret2&param=value', 'auth_token=*****&api_key=*****&param=value'),
+             ])
+             def test_obfuscate_qs(given, expected):
+                 assert expected == obfuscate_qs(given)

vcsserver/base.py

0 +11 -1

              # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301  USA
              import logging
+             import urlparse
              log = logging.getLogger(__name__)
                              'INIT %s@%s repo object based on wire %s. Context: %s',
                              self.__class__.__name__, wire['path'], wire, context)
                          return createfunc()
+             def obfuscate_qs(query_string):
+                 parsed = []
+                 for k, v in urlparse.parse_qsl(query_string):
+                     if k in ['auth_token', 'api_key']:
+                         v = "*****"
+                     parsed.append((k, v))
+                 return '&'.join('{}={}'.format(k,v) for k,v in parsed)

vcsserver/git.py

0 +2 -1

              from vcsserver import exceptions, settings, subprocessio
              from vcsserver.utils import safe_str
-             from vcsserver.base import RepoFactory
+             from vcsserver.base import RepoFactory, obfuscate_qs
              from vcsserver.hgcompat import (
                  hg_url as url_parser, httpbasicauthhandler, httpdigestauthhandler)
                      url_obj = url_parser(url)
                      test_uri, _ = url_obj.authinfo()
                      url_obj.passwd = '*****'
+                     url_obj.query = obfuscate_qs(url_obj.query)
                      cleaned_uri = str(url_obj)
                      log.info("Checking URL for remote cloning/import: %s", cleaned_uri)

vcsserver/hg.py

0 +3 -1

              from mercurial import unionrepo
              from vcsserver import exceptions
-             from vcsserver.base import RepoFactory
+             from vcsserver.base import RepoFactory, obfuscate_qs
              from vcsserver.hgcompat import (
                  archival, bin, clone, config as hgconfig, diffopts, hex,
                  hg_url as url_parser, httpbasicauthhandler, httpdigestauthhandler,
                      url_obj = url_parser(url)
                      test_uri, authinfo = url_obj.authinfo()
                      url_obj.passwd = '*****'
+                     url_obj.query = obfuscate_qs(url_obj.query)
                      cleaned_uri = str(url_obj)
                      log.info("Checking URL for remote cloning/import: %s", cleaned_uri)

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages