No way to set --index_url without leaking password on error

Open aaron-michaux opened this issue 1 year ago • 6 comments

🐞 bug report

Affected Rule

pip_parse(
    ...
    envsubst = ["PIP_INDEX_URL"],
    extra_pip_args = ["--index-url", "${PIP_INDEX_URL}"],
)

Is this a regression?

Description

We have an "index-url" that uses secure credentials. We do not want those credentials to leak into error logs when there's a pip error. However, the combo of setting envsubst and extra_pip_args precisely does this.

(We cannot use bzlmod, so we cannot use the bazel http downloader for python pip.)

🔬 Minimal Reproduction

Any pip_parse rule that errors will print the extra_pip_args.

Note that pip itself is smart enough to ***** out the password on PIP_INDEX_URL.

🔥 Exception or Error


command: ..../bin/python3 -m python.private.pypi.whl_installer.wheel_installer --requirement "..." --extra_pip_args "{\"arg\": [https://username:PASSWORD@someurl/simpl]}" ...

🌍 Your Environment

Operating System:

  
Linux

Output of bazel version:

  
Bazelisk version: v1.20.0
Build label: 6.3.2
Build target: .../BazelServer_deploy.jar
...

Rules_python version:

  
0.35.0

Anything else relevant?

Sep 07 '24 19:09 aaron-michaux

rules_python rules_python copied to clipboard

No way to set --index_url without leaking password on error

🐞 bug report

Affected Rule

Is this a regression?

Description

🔬 Minimal Reproduction

🔥 Exception or Error

🌍 Your Environment

rules_python
rules_python copied to clipboard