Expand environment variables in user-provided index URLs #5734
Comments
charliermarsh
added
the
compatibility
|
It looks like pip does not support either of these. |
|
Poetry does not support the latter: python-poetry/poetry#208 |
|
Rust does not support this but the issue is not closed: rust-lang/cargo#10789 |
|
I am not strictly opposed to it but we should get some more opinions (\cc @zanieb @BurntSushi @konstin). |
|
PDM supports this: Store credentials with the index, Local dependencies |
|
Hatch also supports this: Context formatting |
|
I looked around Poetry's document and found this https://python-poetry.org/docs/configuration/#http-basicnameusernamepassword . |
|
I know I'm not a maintainer of uv, but I strongly suggest that if environment lookups were added that they be opt-in. I've heard of things going very bad security wise from environment variables. |
|
Can you share more details or examples please @CoolCat467? |
|
Something like |
|
Cargo has https://doc.rust-lang.org/cargo/reference/config.html#env Might not directly related but there's also https://doc.rust-lang.org/cargo/reference/config.html#credentials. |
|
Related: #5119 |
Currently One of the strengths of environment variables is avoiding version control. Most VCSs support masking environment variables from job/log output when expanded. See GitLab and GitHub docs. They aren’t 100% foolproof. I think there’s a tradeoff between flexibility and security. |
I think I would personally find it very surprising if an environment variable got expanded here. Basically, if I'm running a Unix shell command and I use single quotes, I have a very strong prior that the string is interpreted literally with no interpolation.
👍 on this (including that env vars are maybe not the best solution to this specific problem), but having an explicit |
|
I'm currently looking at using uv instead of pipenv for our projects, and env var expansion is something we use with pipenv and our AWS CodeArtifact repo. Not having this makes things a bit more complicated to use uv (i.e. we can't easily specify in the pyproject.toml file where the packages are located without constant updates since the index url contains the auth and it's only good for a limited time). I'm not sure I understand the concern around env var expansion within a url for this use-case, though. |
|
"opt-in variables"? because you don't trust your own environment-variables? That makes zero sense to me.
The source-urls in the lockfile could just use the verbatim non-resolved strings "https://${PYPI_USERNAME}:${PYPI_USERNAME}..." |
|
Coming from a very strongly-regulated background, hard agree with @CoolCat467. IMHO security-by-default is the way. I am not strictly opposed to the feature, but if it is to be implemented I believe it should not be on by default. (also, TBH, I struggle to understand the use case... if you want to interpolate secrets from env vars, why not just pass People have been bitten countless times by tools doing insecure-by-default behaviours (NGINX and Docker are my two favourite examples). I'd really rather not be in the position of having to bolt-on extra security on top of
As ridiculous/paranoid as it may sound to those not in heavily-regulated fields -- nope, I do not trust my own env vars not to get leaked. This happens all the time, and if you are especially unfortunate, can lead to multi-billion $$$ costs. And although solutions such as in-line log filters may do a decent job at scrubbing secrets out of stdout/stderr... those are still best-effort. And there are countless other places I could leak my secrets -- e.g. I could inadvertently publish them as part of my wheel/container image/rpm/deb. Obviously no one will really want to do the latter, but as |
|
@paveldikov You argue against putting secrets in environment variables, because they might be leaked (see uv.lock). OK, Then don't. I worked for years in the pharma-industry, and currently work in another highly regulated industry. I fail to see a structural difference between putting your secrets in UV_INDEX_URL or in a extrapolated variable in pyproject.toml. |
This is actually not what I am saying. I do happen to dislike secrets-in-environment-variables, but I am not actually arguing against them. I am well aware that they are a fact of life in a number of commonly-used CI/CD platforms. What I am rather saying is that this feature should not be on by default. I'd be perfectly happy with an index-url = "https://${PYPI_USERNAME}.com/repository/pypi-proxy/simple/flask/"
allow-env-substitution = trueSimple as that. I think it's a no-brainer: if you want the expressive-but-less-secure behaviour, add an extra line in your config, and be done with it. |
|
it feels like that setting would have to be itself an env var (or uv global setting) to make any sense to me... Like if you're explicitly describing your index-url as having this special interpolation syntax, then obviously you'll always be setting that config value as true in conjunction (having it as false would never be correct). To me it feels like the attack you're trying guard against is some package which sets The pyproject.toml author needn't fear their own project settings/values, afaict (again, because if you can control the url, you can control that setting. But perhaps you as the consumer of some unknown pyproject.toml maybe ought to fear using it if this feature exists. Whereas today where you're explicitly mapping a given domain to the credentials (with something like netrc or keychain), or supplying them directly through UV_* env vars. |
Exactly. Two scenarios that come to mind immediately:
(FWIW the idea of consuming an untrusted |
|
I'm not sure exactly what mitigation makes the most sense, but basically my point was that the operator of the environment ought to be the one controlling access (default or not) to this feature. e.g. environment variable or uv setting. Whereas it being enableable by the person controlling the pyproject.toml would be where I could see there being issues. The other problem, if you take this issue seriously, would be that just enabling it or disabling it seems likely to not be particularly useful. If you're operating in a project that uses the feature, likely you'd just plop the enabling env var into a bashrc and go about your day, worse if it defaults on. Akin to index credentials themselves (by keychain) seems like it'd need to be something that maps index domain (not name, seems like that would also be too easy to attack) to allowed env vars. It just starts to get very un-ergonomic very quick; unless perhaps it was a JIT approval the first time for a given index. |
|
The problem with the first issue is the use of single quotes which tell bash to interpret the string literally. Use double quotes for string interpolation |
Right now, we only support expansion (1) by the shell (of course) and (2) in requirements files. But the following don't expand:
cargo run pip install flask --index-url 'https://${PYPI_USERNAME}.com/repository/pypi-proxy/simple/flask/'uv.tomlorpyproject.tomlfileThe text was updated successfully, but these errors were encountered: