Remove user credentials in URLs when converting to a string #3513
Conversation
zanderxyz
force-pushed
the
mask-credentials
branch
3 times, most recently
from
60f4499 to
fb53495
Compare
zanderxyz
changed the title
zanderxyz
force-pushed
the
mask-credentials
branch
from
fb53495 to
0441070
Compare
zanderxyz
changed the title
| ) | ||
|
|
||
| return f"{self.__class__.__name__}({url!r})" | ||
| return f"{self.__class__.__name__}({str(self._uri_reference)!r})" |
There was a problem hiding this comment.
This seems simpler, rather than re-implementing the logic already in _urlparse.py. The user credentials are sent in a header rather than the URL anyway.
zanderxyz
force-pushed
the
mask-credentials
branch
from
0441070 to
7395692
Compare
|
Yep, hiding user credentials at the lowest layer and preventing them from being passed higher makes perfect sense. Now it's exposed in URL.str, but not in URL.repr, which is a bit weird. str is supposed to show more user-related data, while repr is more for debugging and development. So, hiding it in repr would make more sense. However, I think preventing it entirely is the most secure way. |
Just to clarify - after the change in this PR, the username & password are not exposed in either str or **repr✱. I do think this is the most secure implementation, and I don't think we really lose anything.. |
Summary
As previously noted in this GitHub discussion, this library by default leaks credentials which are included in URL strings (common for basic authentication). It can also raise exceptions which contain the credentials in the error string if a request fails (see
raise_for_status).This PR updates the
__str__method on URLs to remove the user & password details. I believe this is the correct default behaviour for a library like this, as it avoids any risk of leakage. Removing the user & password entirely seems both (a) the safest option, and (b) the simplest implementation. These credentials are passed as headers in reality, and are not technically part of the URL.Checklist