fix: Remove any credentials from remote URLs, not just GitHub tokens

Issue #61: #61
pawamoy · Oct 10, 2023 · 5d07e91 · 5d07e91
1 parent 5c97284
commit 5d07e91
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 13 deletions.
diff --git a/src/git_changelog/build.py b/src/git_changelog/build.py
@@ -4,11 +4,11 @@
 
 import datetime
 import os
-import re
 import sys
 import warnings
 from subprocess import check_output
 from typing import TYPE_CHECKING, ClassVar, Literal, Type, Union
+from urllib.parse import urlsplit, urlunsplit
 
 from semver import VersionInfo
 
@@ -277,12 +277,14 @@ def get_remote_url(self) -> str:
         if git_url.endswith(".git"):
             git_url = git_url[:-4]
 
-        # Remove GitHub token from the URL.
-        # See https://gist.github.com/magnetikonline/073afe7909ffdd6f10ef06a00bc3bc88.
-        # Personal access tokens (classic): ^ghp_[a-zA-Z0-9]{36}$
-        # Personal access tokens (fine-grained): ^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$
-        # GitHub Actions tokens: ^ghs_[a-zA-Z0-9]{36}$
-        return re.sub(r"(gh[ps]_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})@", "", git_url)
+        # Remove credentials from the URL.
+        if git_url.startswith(("http://", "https://")):
+            # (addressing scheme, network location, path, query, fragment identifier)
+            urlparts = list(urlsplit(git_url))
+            urlparts[1] = urlparts[1].split("@", 1)[-1]
+            git_url = urlunsplit(urlparts)
+
+        return git_url
 
     def get_log(self) -> str:
         """Get the `git log` output.

diff --git a/tests/test_end_to_end.py b/tests/test_end_to_end.py
@@ -8,6 +8,7 @@
 import subprocess
 from functools import partial
 from typing import TYPE_CHECKING, Iterator
+from urllib.parse import urlsplit, urlunsplit
 
 import pytest
 
@@ -189,19 +190,21 @@ def test_no_duplicate_rendering(repo: Path, tmp_path: Path) -> None:
     assert rendered.count(latest_tag) == 3
 
 
-def test_removing_tokens_from_remotes(repo: Path) -> None:
-    """Remove GitHub tokens from remotes.
+def test_removing_credentials_from_remotes(repo: Path) -> None:
+    """Remove credentials from remotes.
 
     Parameters:
         repo: Temporary Git repository (fixture).
     """
     git = partial(_git, "-C", str(repo))
-    tokens = [
+    credentials = [
         "ghp_abcdefghijklmnOPQRSTUVWXYZ0123456789",
         "ghs_abcdefghijklmnOPQRSTUVWXYZ0123456789",
         "github_pat_abcdefgOPQRS0123456789_abcdefghijklmnOPQRSTUVWXYZ0123456789abcdefgOPQRS0123456789A",
+        "user:password",
     ]
-    for token in tokens:
-        git("remote", "set-url", "origin", f"https://{token}@github.com:example/example")
+    for creds in credentials:
+        git("remote", "set-url", "origin", f"https://{creds}@github.com:example/example")
         changelog = Changelog(repo)
-        assert token not in changelog.remote_url
+        assert creds not in changelog.remote_url
+        assert urlunsplit(urlsplit(changelog.remote_url)) == changelog.remote_url