pypa
Disclosure credentials for private PyPi repo in the list of processes
In my project, I use Injecting credentials into Pipfiles via environment variables as described in the documentation.
However, when pipenv performs install, it runs pip w/ --extra-index-url https://<my-secret-credentials>@my.pypi.repo option which is pretty visible in the list of processes to anyone on the host.
It'll be nice to keep secrets better ;-)
@zaufi Which version of pipenv? Have you tried with
2022.1.8?
$ pipenv --version
pipenv, version 2022.5.2
Thanks @zaufi -- I was closing out old issues and I can now see that this issue is specifically about the list of processes showing the expanded variables to the pip subprocess:
--extra-index-url https://
@my.pypi.repo option which is pretty visible in the list of processes to anyone on the host.
I have re-opened the issue as this deserves more attention at some point.
@zaufi So I just did some testing and can confirm what you are seeing with top -c however I find that even pip itself expands the environment variables into the CLI args, however if I modify the command to pass in like this:
pip install requests <<< "--extra-index-url https://${SECRET}@my.pypi.repo" it does hide the variable from top -c.
However this syntax does not work for Powershell, I believe it is bash specific.
One solution I see is to use .netrc file somehow, which is already supported by pip.
We removed support for --extra-index-url so it should never be in the process list now.