pip prints out username and password from URLs with them

Created on 1 Oct 2017  路  8Comments  路  Source: pypa/pip
  • Pip version: 9.0.1
  • Python version: 3.5.2
  • Operating system: Mac OS X

Description:

When I am installing pip packages from URLs which include username and password, pip prints username and password back out. This is problematic because if I am trying to install packages in an environment which logs output (Docker build for example, or CI runner) password will be logged and potentially publicly stored. I could limit pip's output, but then I might miss important output, and it will be harder to debug things.

Ideally, pip would obfuscate URLs before printing them out.

What I've run:

pip install git+https://username:[email protected]/example/private.git

Output:

Collecting git+https://username:[email protected]/example/private.git
  Cloning https://username:[email protected]/example/private.git to ...
awaiting PR auto-locked enhancement
Source
picture mitar
👍5

Most helpful comment

This is also an issue for basic authentication to a PyPi repository.

For example, if I have a pip.conf with:

[global]
index-url = https://USERNAME:[email protected]/pypi/simple

Any time I do a pip install in my CI jobs, I see:

Looking in indexes: https://USERNAME:[email protected]/pypi/simple
...

Huge security concern for leaking credentials.

picture mrburrito on 17 Apr 2018
👍19

All 8 comments

Not sure if it solves your issue but you can use oath tokens with Github?

pradyunsg picture pradyunsg on 1 Oct 2017

Ehm, but then tokens would be visible in the log. Same deal. Somebody could see those tokens and use them to authenticate as well.

mitar picture mitar on 1 Oct 2017

I always use ssh to clone/push/pull from GitHub; maybe that would be useful for you?

I don't know enough about this stuff though; someone else might.

pradyunsg picture pradyunsg on 1 Oct 2017

It is complicated to configure SSH keys inside Docker build process or CI environment. It is easier to pass a secret environment variable for username and password.

mitar picture mitar on 1 Oct 2017

I think this is a reasonable request, although I suspect it's a relatively rare situation. @mitar it would be awesome if you could provide a PR for this change, otherwise it'll have to wait until someone has the spare time to look at implementing it.

pfmoore picture pfmoore on 1 Oct 2017

I noticed earlier that something similar is being done for subversion here:
https://github.com/pypa/pip/blob/90f64b41bbb20ebb7143d88052c944b30dbe61ac/src/pip/_internal/vcs/subversion.py#L225

cjerdonek picture cjerdonek on 4 Oct 2017

This is also an issue for basic authentication to a PyPi repository.

For example, if I have a pip.conf with:

[global]
index-url = https://USERNAME:[email protected]/pypi/simple

Any time I do a pip install in my CI jobs, I see:

Looking in indexes: https://USERNAME:[email protected]/pypi/simple
...

Huge security concern for leaking credentials.

mrburrito picture mrburrito on 17 Apr 2018
👍19

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 31 May 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JordanReiter picture JordanReiter  路  3Comments
pradyunsg picture pradyunsg  路  3Comments
cjolowicz picture cjolowicz  路  3Comments
dstufft picture dstufft  路  3Comments
reynoldsnlp picture reynoldsnlp  路  3Comments