pip prints out username and password from URLs with them

[mitar]

• Pip version: 9.0.1
• Python version: 3.5.2
• Operating system: Mac OS X

Description:

When I am installing pip packages from URLs which include username and password, pip prints username and password back out. This is problematic because if I am trying to install packages in an environment which logs output (Docker build for example, or CI runner) password will be logged and potentially publicly stored. I could limit pip's output, but then I might miss important output, and it will be harder to debug things.

Ideally, pip would obfuscate URLs before printing them out.

What I've run:

pip install git+https://username:password@github.com/example/private.git

Output:

Collecting git+https://username:password@github.com/example/private.git
  Cloning https://username:password@github.com/example/private.git to ...

[pradyunsg]

Not sure if it solves your issue but you can use oath tokens with Github?

[mitar]

Ehm, but then tokens would be visible in the log. Same deal. Somebody could see those tokens and use them to authenticate as well.

[pradyunsg]

I always use ssh to clone/push/pull from GitHub; maybe that would be useful for you?

I don't know enough about this stuff though; someone else might.

[mitar]

It is complicated to configure SSH keys inside Docker build process or CI environment. It is easier to pass a secret environment variable for username and password.

[pfmoore]

I think this is a reasonable request, although I suspect it's a relatively rare situation. @mitar it would be awesome if you could provide a PR for this change, otherwise it'll have to wait until someone has the spare time to look at implementing it.

[cjerdonek]

I noticed earlier that something similar is being done for subversion here:

pip/src/pip/_internal/vcs/subversion.py

Line 225 in 90f64b4

def remove_auth_from_url(url):

[mrburrito]

This is also an issue for basic authentication to a PyPi repository.

For example, if I have a pip.conf with:

[global]
index-url = https://USERNAME:PASSWORD@my.repo.com/pypi/simple

Any time I do a pip install in my CI jobs, I see:

Looking in indexes: https://USERNAME:PASSWORD@my.repo.com/pypi/simple
...

Huge security concern for leaking credentials.