Auth not redacted in string representation of the requirement

[NoahGorny]

Hi there :smile:

Inside the Requirement class, the url part of the requirement is added to the string repr without redacting any possible sensitive data. https://github.com/pypa/packaging/blob/745bb0a763517a21422e74e936a24b043e8dc225/packaging/requirements.py#L136

In pip, there is an issue about this behaviour. Instead of fixing it in the vendored version of pip, we should fix probably fix it upstream instead.

Lemme know what you think :smiley:

[MrMino]

Cloning https://user:****@example.com to /tmp/pip-install-ighmw36e/dependency

Should the user part be considered sensitive too?

[uranusjr]

IIRC pip chose to not redact the user part based on user feedback, it’s much easier to debug from logs if the username is shown.

[NoahGorny]

I am more than okay with providing a PR myself, I am just waiting for a green light from a maintainer in order to start :smile:

[pradyunsg]

This is a no-go IMO.

It breaks Requirement(str(req)) == req and there's a lot of non-pip users of this library who depend on this behaviour.

The fix to better separate "url" and "url with auth" during logging needs to happen in pip.

[MrMino]

@pradyunsg maybe this could be alleviated by adding a safe_str() method that returns the masked version? (naming TBD of course)

[connesy]

@pradyunsg The issue with separating "url" and "url with auth" in pip is that pip is relying on the str(req) behaviour of the Requirement class, so there is no easy way to extract and redact only the req.url part.

Would you accept a solution akin to what @MrMino proposed, so str(req) stays the same but pip can call req.safe_str() instead when needed?