[rubygems/rubygems] Fix private registry credentials being written to logs

https://github.com/rubygems/rubygems/commit/d070fa10c1 Co-authored-by: Artem Ignatyev <zazubrik@gmail.com>
2026-01-27 04:24:23 +00:00 · 2022-01-17 13:47:27 +02:00 · 2022-01-17 13:47:27 +02:00 · fbe35bcc82
commit fbe35bcc82
parent 10d694a1ff
2 changed files with 44 additions and 9 deletions
--- a/lib/bundler/rubygems_integration.rb
+++ b/lib/bundler/rubygems_integration.rb
@ -393,7 +393,9 @@ module Bundler
    def download_gem(spec, uri, cache_dir, fetcher)
      require "rubygems/remote_fetcher"
      uri = Bundler.settings.mirror_for(uri)
-      Bundler::Retry.new("download gem from #{uri}").attempts do
+      redacted_uri = Gem::Uri.redact(uri)
+
+      Bundler::Retry.new("download gem from #{redacted_uri}").attempts do
        gem_file_name = spec.file_name
        local_gem_path = File.join cache_dir, gem_file_name
        return if File.exist? local_gem_path
@ -415,7 +417,7 @@ module Bundler
        end
      end
    rescue Gem::RemoteFetcher::FetchError => e
-      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
+      raise Bundler::HTTPError, "Could not download gem from #{redacted_uri} due to underlying error <#{e.message}>"
    end

    def build(spec, skip_validation = false)
--- a/spec/bundler/bundler/rubygems_integration_spec.rb
+++ b/spec/bundler/bundler/rubygems_integration_spec.rb
@ -32,7 +32,6 @@ RSpec.describe Bundler::RubygemsIntegration do

  describe "#download_gem" do
    let(:bundler_retry) { double(Bundler::Retry) }
-    let(:uri) { Gem::URI.parse("https://foo.bar") }
    let(:cache_dir) { "#{Gem.path.first}/cache" }
    let(:spec) do
      spec = Gem::Specification.new("Foo", Gem::Version.new("2.5.2"))
@ -41,13 +40,47 @@ RSpec.describe Bundler::RubygemsIntegration do
    end
    let(:fetcher) { double("gem_remote_fetcher") }

-    it "successfully downloads gem with retries" do
-      expect(Bundler::Retry).to receive(:new).with("download gem from #{uri}/").
-        and_return(bundler_retry)
-      expect(bundler_retry).to receive(:attempts).and_yield
-      expect(fetcher).to receive(:cache_update_path)
+    context "when uri is public" do
+      let(:uri) { Gem::URI.parse("https://foo.bar") }

-      Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+      it "successfully downloads gem with retries" do
+        expect(Bundler::Retry).to receive(:new).with("download gem from #{uri}/").
+          and_return(bundler_retry)
+        expect(bundler_retry).to receive(:attempts).and_yield
+        expect(fetcher).to receive(:cache_update_path)
+
+        Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+      end
+    end
+
+    context "when uri contains userinfo part" do
+      let(:uri) { Gem::URI.parse("https://#{userinfo}@foo.bar") }
+
+      context "with user and password" do
+        let(:userinfo) { "user:password" }
+
+        it "successfully downloads gem with retries with filtered log" do
+          expect(Bundler::Retry).to receive(:new).with("download gem from https://user:REDACTED@foo.bar/").
+            and_return(bundler_retry)
+          expect(bundler_retry).to receive(:attempts).and_yield
+          expect(fetcher).to receive(:cache_update_path)
+
+          Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+        end
+      end
+
+      context "with token [as user]" do
+        let(:userinfo) { "token" }
+
+        it "successfully downloads gem with retries with filtered log" do
+          expect(Bundler::Retry).to receive(:new).with("download gem from https://REDACTED@foo.bar/").
+            and_return(bundler_retry)
+          expect(bundler_retry).to receive(:attempts).and_yield
+          expect(fetcher).to receive(:cache_update_path)
+
+          Bundler.rubygems.download_gem(spec, uri, cache_dir, fetcher)
+        end
+      end
    end
  end