remove credentials from URLs to prevent secrets leak

7d7fa7a2 · Jérome Perrin · 870c2ac1 · 7d7fa7a2 · 7d7fa7a2
Commit 7d7fa7a2 authored Jun 07, 2024 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 4 deletions

nxdbom/__init__.py nxdbom/__init__.py +13 -4

nxdbom/nxdbom_test.py nxdbom/nxdbom_test.py +9 -0

No files found.
--- a/nxdbom/__init__.py
+++ b/nxdbom/__init__.py
@@ -31,7 +31,7 @@ import datetime
 from glob import glob
 import importlib.metadata
 from os.path import basename
-from urllib.parse import unquote
+from urllib.parse import unquote, urlparse
 import argparse
 import json
 import sys, configparser, re, codecs
@@ -266,7 +266,7 @@ def bom_software(installed_software_path): # -> {} (name,kind) -> PkgInfo
                ver = part.get('branch')
            if ver is None:
                ver = 'HEAD'
-            addbom(repo, 'git', ver)
+            addbom(_remove_credentials_from_url(repo), 'git', ver)

        elif recipe in ('rubygemsrecipe',):
            location = part.get('location', raw=True)
@@ -292,7 +292,7 @@ def geturl(part, default=_missing):
        if default is not _missing:
            return default
        raise KeyError('section %s has no url' % part)
-    return url
+    return _remove_credentials_from_url(url)

 _egg_re = re.compile(r'^(?P<name>[\w\-\.]+)(\[.*\])?$')

@@ -324,6 +324,15 @@ def eggscript_imports(path):
    return importv


+def _remove_credentials_from_url(url):
+    parsed_url = urlparse(url)
+    netloc = parsed_url.hostname
+    if parsed_url.port:
+        netloc += f':{parsed_url.port}'
+    return parsed_url._replace(
+        netloc=netloc).geturl()
+
+
 def bom_node(XXX):
    1/0
    # TODO bom_node should:
@@ -564,7 +573,7 @@ def fmt_bom_cyclonedx_json(bom, software_path):
                "externalReferences": [
                    {
                        "type": "build-meta",
-                        "url": software_url,
+                        "url": _remove_credentials_from_url(software_url),
                    }
                ]
            },

--- a/nxdbom/nxdbom_test.py
+++ b/nxdbom/nxdbom_test.py
@@ -144,6 +144,15 @@ repository = https://github.com/nexedi/neoppod
 neoppod                      HEAD       https://github.com/nexedi/neoppod
 """)

+case1("""\
+[secret-repository.git]
+recipe = slapos.recipe.build:gitclone
+repository = https://login:password@lab.nexedi.com/nexedi/secret.git
+""", """
+>>> gits:
+secret                       HEAD       https://lab.nexedi.com/nexedi/secret.git
+""")
+
 case1("""\
 [ocropy-eng-traineddata]
 recipe = slapos.recipe.build:download