pipenv
pipenv copied to clipboard
pypa
Suppressing expansion of environment variables
Issue description
I have a private repository configured in my Pipfile, which specifies credentials via environment variables in the manner described in the pipenv user guide:
[[source]]
url = "https://${JFROG_USERNAME}:${JFROG_PASSWORD}@myorg.jfrog.io/myorg/api/pypi/myrepo/simple"
verify_ssl = true
name = "myrepo"
Upon running 'pipenv install' and a package is unable to be found at the remote index, pipenv is printing the following message with environment variables fully expanded:
No versions found
Were https://pypi.org/simple or https://XXXXX:[email protected]/myorg/api/pypi/myrepo/simple reachable?
Expected result
I expected that credentials and other secrets specified via environment variables would remain unexpanded in stdout/stderr messages, such that secrets aren't leaked via CI logs when errors occur.
Steps to replicate
- Create a pipfile that points to a remote index with credentials specified via environment variables
- Specify a package dependency that you know to not exist
- Run 'pipenv install'
- Observe expansion of environment variables in error output
$ pipenv --support
Pipenv version: '2018.10.13'
Pipenv location: '/home/spiderkeys/.local/lib/python3.6/site-packages/pipenv'
Python location: '/usr/bin/python3'
Python installations found:
3.7.1:/home/spiderkeys/.pyenv/versions/3.7.1/bin/python3.73.7.1:/home/spiderkeys/.pyenv/versions/3.7.1/bin/python3.7m3.6.6:/usr/bin/python3.63.6.6:/usr/bin/python3.6m2.7.15:/home/spiderkeys/.pyenv/versions/2.7.15/bin/python2.72.7.15rc1:/usr/bin/python2.7
PEP 508 Information:
{'implementation_name': 'cpython',
'implementation_version': '3.6.6',
'os_name': 'posix',
'platform_machine': 'x86_64',
'platform_python_implementation': 'CPython',
'platform_release': '4.15.0-23-generic',
'platform_system': 'Linux',
'platform_version': '#25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018',
'python_full_version': '3.6.6',
'python_version': '3.6',
'sys_platform': 'linux'}
System environment variables:
CLUTTER_IM_MODULELS_COLORSLESSCLOSEXDG_MENU_PREFIXLANGDISPLAYPYENV_ROOTNDDSHOMEOLDPWDGNOME_SHELL_SESSION_MODECOLORTERMDESKTOP_AUTOSTART_IDUSERNAMECHROME_DESKTOPXDG_VTNRSSH_AUTH_SOCKMANDATORY_PATHJFROG_USERNAMEAPPLICATION_INSIGHTS_NO_DIAGNOSTIC_CHANNELXDG_SESSION_IDUSERDESKTOP_SESSIONQT4_IM_MODULETEXTDOMAINDIRGNOME_TERMINAL_SCREENDEFAULTS_PATHPWDHOMETEXTDOMAINSSH_AGENT_PIDTERM_PROGRAMTERM_PROGRAM_VERSIONQT_ACCESSIBILITYXDG_SESSION_TYPEXDG_DATA_DIRSXDG_SESSION_DESKTOPFIREBASE_ADMIN_KEYGTK_MODULESWINDOWPATHTERMSHELLVTE_VERSIONQT_IM_MODULEXMODIFIERSIM_CONFIG_PHASEXDG_CURRENT_DESKTOPGPG_AGENT_INFOGNOME_TERMINAL_SERVICEXDG_SEATSHLVLGDMSESSIONJFROG_PASSWORDGNOME_DESKTOP_SESSION_IDLOGNAMEDBUS_SESSION_BUS_ADDRESSXDG_RUNTIME_DIRXAUTHORITYXDG_CONFIG_DIRSPATHSESSION_MANAGERLESSOPENGTK_IM_MODULE_PYTHONDONTWRITEBYTECODEPIP_SHIMS_BASE_MODULEPIP_PYTHON_PATH
Pipenv–specific environment variables:
Debug–specific environment variables:
PATH:/home/spiderkeys/.pyenv/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.cargo/bin:/home/spiderkeys/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binSHELL:/bin/bashLANG:en_US.UTF-8PWD:/home/spiderkeys/myorg/production/utils/test_project
Contents of Pipfile ('/home/spiderkeys/myorg/production/utils/test_project/Pipfile'):
[[source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"
[[source]]
url = "https://${JFROG_USERNAME}:${JFROG_PASSWORD}@myorg.jfrog.io/myorg/api/pypi/myrepo/simple"
verify_ssl = true
name = "myrepo"
[packages]
nhd220 = {version="*", index="myrepo"}
[dev-packages]
[requires]
python_version = "3.6"
I believe this is addressed in pypa/pip#5773. Keeping this open until pip releases it (likely in early 2019).
