fix(security): hide personal access token given in uri (pact-foundation#225)

thomas-girotto · web-flow · commit f6db12da71bd · 2020-10-12T10:00:23.000+11:00
something like https://pat@my-pact-server/pact.json is possible where pat stands for personal access token and is a secret.
fix the current behavior where only https://user:password@my-pact-server/pact.json is checked
diff --git a/lib/pact/provider/pact_uri.rb b/lib/pact/provider/pact_uri.rb
@@ -17,7 +17,7 @@ def == other
       end
 
       def basic_auth?
-        !!username
+        !!username && !!password
       end
 
       def username
@@ -29,12 +29,23 @@ def password
       end
 
       def to_s
-        if basic_auth? && uri.start_with?('http://', 'https://')
+        if basic_auth? && http_or_https_uri?
           URI(@uri).tap { |x| x.userinfo="#{username}:*****"}.to_s
+        elsif personal_access_token? && http_or_https_uri?
+          URI(@uri).tap { |x| x.userinfo="*****"}.to_s
         else
           uri
         end
       end
+
+      private def personal_access_token?
+        !!username && !password
+      end
+
+      private def http_or_https_uri?
+        uri.start_with?('http://', 'https://')
+      end
+      
     end
   end
 end
diff --git a/spec/lib/pact/provider/pact_uri_spec.rb b/spec/lib/pact/provider/pact_uri_spec.rb
@@ -23,11 +23,11 @@
   end
 
   describe '#to_s' do
-    context 'with userinfo provided' do
+    context 'with basic auth provided' do
       let(:password) { 'my_password' }
       let(:options) { { username: username, password: password } }
 
-      it 'should include user name and password' do
+      it 'should include user name and and hide password' do
         expect(pact_uri.to_s).to eq('http://pact:*****@uri')
       end
 
@@ -40,6 +40,23 @@
       end
     end
 
+    context 'with personal access token provided' do
+      let(:pat) { 'should_be_secret' }
+      let(:options) { { username: pat } }
+
+      it 'should hide the pat' do
+        expect(pact_uri.to_s).to eq('http://*****@uri')
+      end
+
+      context 'when pat credentials have been set for a local file (eg. via environment variables, unintentionally)' do
+        let(:uri) { '/some/file thing.json' }
+
+        it 'does not blow up' do
+          expect(pact_uri.to_s).to eq uri
+        end
+      end
+    end
+
     context 'without userinfo' do
       let(:options) { {} }
 
