Skip to content

N
nxd-bom
Commit 7d7fa7a2 authored by Jérome Perrin's avatar Jérome Perrin
Browse files
Options

remove credentials from URLs to prevent secrets leak

parent 870c2ac1
Show whitespace changes
Inline Side-by-side
Showing with 22 additions and 4 deletions
nxdbom/__init__.py
View file @ 7d7fa7a2
...@@ -31,7 +31,7 @@ import datetime ...@@ -31,7 +31,7 @@ import datetime
from glob import glob from glob import glob
import importlib.metadata import importlib.metadata
from os.path import basename from os.path import basename
from urllib.parse import unquote from urllib.parse import unquote, urlparse
import argparse import argparse
import json import json
import sys, configparser, re, codecs import sys, configparser, re, codecs
...@@ -266,7 +266,7 @@ def bom_software(installed_software_path): # -> {} (name,kind) -> PkgInfo ...@@ -266,7 +266,7 @@ def bom_software(installed_software_path): # -> {} (name,kind) -> PkgInfo
ver = part.get('branch') ver = part.get('branch')
if ver is None: if ver is None:
ver = 'HEAD' ver = 'HEAD'
addbom(repo, 'git', ver) addbom(_remove_credentials_from_url(repo), 'git', ver)
elif recipe in ('rubygemsrecipe',): elif recipe in ('rubygemsrecipe',):
location = part.get('location', raw=True) location = part.get('location', raw=True)
...@@ -292,7 +292,7 @@ def geturl(part, default=_missing): ...@@ -292,7 +292,7 @@ def geturl(part, default=_missing):
if default is not _missing: if default is not _missing:
return default return default
raise KeyError('section %s has no url' % part) raise KeyError('section %s has no url' % part)
return url return _remove_credentials_from_url(url)
_egg_re = re.compile(r'^(?P<name>[\w\-\.]+)(\[.*\])?$') _egg_re = re.compile(r'^(?P<name>[\w\-\.]+)(\[.*\])?$')
...@@ -324,6 +324,15 @@ def eggscript_imports(path): ...@@ -324,6 +324,15 @@ def eggscript_imports(path):
return importv return importv
def _remove_credentials_from_url(url):
parsed_url = urlparse(url)
netloc = parsed_url.hostname
if parsed_url.port:
netloc += f':{parsed_url.port}'
return parsed_url._replace(
netloc=netloc).geturl()
def bom_node(XXX): def bom_node(XXX):
1/0 1/0
# TODO bom_node should: # TODO bom_node should:
...@@ -564,7 +573,7 @@ def fmt_bom_cyclonedx_json(bom, software_path): ...@@ -564,7 +573,7 @@ def fmt_bom_cyclonedx_json(bom, software_path):
"externalReferences": [ "externalReferences": [
{ {
"type": "build-meta", "type": "build-meta",
"url": software_url, "url": _remove_credentials_from_url(software_url),
} }
] ]
}, },
......
nxdbom/nxdbom_test.py
View file @ 7d7fa7a2
...@@ -144,6 +144,15 @@ repository = https://github.com/nexedi/neoppod ...@@ -144,6 +144,15 @@ repository = https://github.com/nexedi/neoppod
neoppod HEAD https://github.com/nexedi/neoppod neoppod HEAD https://github.com/nexedi/neoppod
""") """)
case1("""\
[secret-repository.git]
recipe = slapos.recipe.build:gitclone
repository = https://login:password@lab.nexedi.com/nexedi/secret.git
""", """
>>> gits:
secret HEAD https://lab.nexedi.com/nexedi/secret.git
""")
case1("""\ case1("""\
[ocropy-eng-traineddata] [ocropy-eng-traineddata]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7