From f9fccbab1e5e8b849b3790a9eb0c763835443917 Mon Sep 17 00:00:00 2001 From: Stephan Vock Date: Wed, 21 Aug 2019 10:07:36 +0100 Subject: [PATCH 1/2] GitHub: don't display access token in debug log --- src/Composer/Util/RemoteFilesystem.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php index 32767c161..2e3f4627b 100644 --- a/src/Composer/Util/RemoteFilesystem.php +++ b/src/Composer/Util/RemoteFilesystem.php @@ -301,7 +301,7 @@ class RemoteFilesystem $actualContextOptions = stream_context_get_options($ctx); $usingProxy = !empty($actualContextOptions['http']['proxy']) ? ' using proxy ' . $actualContextOptions['http']['proxy'] : ''; - $this->io->writeError((substr($origFileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $origFileUrl . $usingProxy, true, IOInterface::DEBUG); + $this->io->writeError((substr($origFileUrl, 0, 4) === 'http' ? 'Downloading ' : 'Reading ') . $this->stripCredentialsFromUrl($origFileUrl) . $usingProxy, true, IOInterface::DEBUG); unset($origFileUrl, $actualContextOptions); // Check for secure HTTP, but allow insecure Packagist calls to $hashed providers as file integrity is verified with sha256 @@ -873,7 +873,7 @@ class RemoteFilesystem $this->redirects++; $this->io->writeError('', true, IOInterface::DEBUG); - $this->io->writeError(sprintf('Following redirect (%u) %s', $this->redirects, $targetUrl), true, IOInterface::DEBUG); + $this->io->writeError(sprintf('Following redirect (%u) %s', $this->redirects, $this->stripCredentialsFromUrl($targetUrl)), true, IOInterface::DEBUG); $additionalOptions['redirects'] = $this->redirects; @@ -1123,4 +1123,15 @@ class RemoteFilesystem return $hostPort; } + + private function stripCredentialsFromUrl($url) + { + // GitHub repository rename result in redirect locations containing the access_token as GET parameter + // e.g. https://api.github.com/repositories/9999999999?access_token=github_token + if (preg_match('{^(https?://([a-z0-9-]+\.)*github\.com/.*)\?access_token=[a-z0-9]+}', $url, $matches)) { + return $matches[1]; + } + + return $url; + } } From fd70d9cdc31881ae7441560a205fb5e49f647ee9 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Thu, 29 Aug 2019 12:22:38 +0200 Subject: [PATCH 2/2] Stripe access tokens in a more generic way --- src/Composer/Util/RemoteFilesystem.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/Composer/Util/RemoteFilesystem.php b/src/Composer/Util/RemoteFilesystem.php index 2e3f4627b..a44d8f86f 100644 --- a/src/Composer/Util/RemoteFilesystem.php +++ b/src/Composer/Util/RemoteFilesystem.php @@ -1128,10 +1128,6 @@ class RemoteFilesystem { // GitHub repository rename result in redirect locations containing the access_token as GET parameter // e.g. https://api.github.com/repositories/9999999999?access_token=github_token - if (preg_match('{^(https?://([a-z0-9-]+\.)*github\.com/.*)\?access_token=[a-z0-9]+}', $url, $matches)) { - return $matches[1]; - } - - return $url; + return preg_replace('{([&?]access_token=)[^&]+}', '$1***', $url); } }