Add test for password escaping

src/Composer/Util/ProcessExecutor.php

@@ -45,11 +45,11 @@ class ProcessExecutor
     {
         if ($this->io && $this->io->isDebug()) {
             $safeCommand = preg_replace_callback('{(://)(?P<user>[^:/\s]+):(?P<password>[^@\s/]+)}i', function ($m) {
-                if (preg_match('{^[a-f0-9]{12,}$}', $m[2])) {
+                if (preg_match('{^[a-f0-9]{12,}$}', $m['user'])) {
                     return '://***:***';
                 }
 
-                return '://'.$m[2].':***';
+                return '://'.$m['user'].':***';
             }, $command);
             $this->io->writeError('Executing command ('.($cwd ?: 'CWD').'): '.$safeCommand);
         }

tests/Composer/Test/Util/ProcessExecutorTest.php

@@ -14,6 +14,8 @@ namespace Composer\Test\Util;
 
 use Composer\Util\ProcessExecutor;
 use Composer\TestCase;
+use Composer\IO\BufferIO;
+use Symfony\Component\Console\Output\StreamOutput;
 
 class ProcessExecutorTest extends TestCase
 {
@@ -48,6 +50,14 @@ class ProcessExecutorTest extends TestCase
         ProcessExecutor::setTimeout(60);
     }
 
+    public function testHidePasswords()
+    {
+        $process = new ProcessExecutor($buffer = new BufferIO('', StreamOutput::VERBOSITY_DEBUG));
+        $process->execute('echo https://foo:bar@example.org/ && echo http://foo@example.org && echo http://abcdef1234567890234578:x-oauth-token@github.com/', $output);
+
+        $this->assertEquals('Executing command (CWD): echo https://foo:***@example.org/ && echo http://foo@example.org && echo http://***:***@github.com/', trim($buffer->getOutput()));
+    }
+
     public function testSplitLines()
     {
         $process = new ProcessExecutor;