Mask passwords in URLs when converting to a string

Author: zanderxyz

httpx/_urls.py

@@ -371,10 +371,7 @@ def __hash__(self) -> int:
     def __eq__(self, other: typing.Any) -> bool:
         return isinstance(other, (URL, str)) and str(self) == str(URL(other))
 
-    def __str__(self) -> str:
-        return str(self._uri_reference)
-
-    def __repr__(self) -> str:
+    def _get_masked_url_string(self) -> str:
         scheme, userinfo, host, port, path, query, fragment = self._uri_reference
 
         if ":" in userinfo:
@@ -388,16 +385,25 @@ def __repr__(self) -> str:
                 f":{port}" if port is not None else "",
             ]
         )
+
         url = "".join(
             [
-                f"{self.scheme}:" if scheme else "",
+                f"{scheme}:" if scheme else "",
                 f"//{authority}" if authority else "",
                 path,
                 f"?{query}" if query is not None else "",
                 f"#{fragment}" if fragment is not None else "",
             ]
         )
 
+        return url
+
+    def __str__(self) -> str:
+        # Always use the masked URL string to avoid inadvertently leaking credentials
+        return self._get_masked_url_string()
+
+    def __repr__(self) -> str:
+        url = self._get_masked_url_string()
         return f"{self.__class__.__name__}({url!r})"
 
     @property

tests/models/test_responses.py

@@ -89,7 +89,8 @@ def test_response_json():
 
 
 def test_raise_for_status():
-    request = httpx.Request("GET", "https://example.org")
+    # The password here should be redacted from all exception strings below
+    request = httpx.Request("GET", "https://user:[email protected]")
 
     # 2xx status codes are not an error.
     response = httpx.Response(200, request=request)
@@ -101,7 +102,7 @@ def test_raise_for_status():
     with pytest.raises(httpx.HTTPStatusError) as exc_info:
         response.raise_for_status()
     assert str(exc_info.value) == (
-        "Informational response '101 Switching Protocols' for url 'https://example.org'\n"
+        "Informational response '101 Switching Protocols' for url 'https://user:[secure]@example.org'\n"
         "For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/101"
     )
 
@@ -112,7 +113,7 @@ def test_raise_for_status():
     with pytest.raises(httpx.HTTPStatusError) as exc_info:
         response.raise_for_status()
     assert str(exc_info.value) == (
-        "Redirect response '303 See Other' for url 'https://example.org'\n"
+        "Redirect response '303 See Other' for url 'https://user:[secure]@example.org'\n"
         "Redirect location: 'https://other.org'\n"
         "For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303"
     )
@@ -124,7 +125,7 @@ def test_raise_for_status():
     with pytest.raises(httpx.HTTPStatusError) as exc_info:
         response.raise_for_status()
     assert str(exc_info.value) == (
-        "Client error '403 Forbidden' for url 'https://example.org'\n"
+        "Client error '403 Forbidden' for url 'https://user:[secure]@example.org'\n"
         "For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403"
     )
 
@@ -135,7 +136,7 @@ def test_raise_for_status():
     with pytest.raises(httpx.HTTPStatusError) as exc_info:
         response.raise_for_status()
     assert str(exc_info.value) == (
-        "Server error '500 Internal Server Error' for url 'https://example.org'\n"
+        "Server error '500 Internal Server Error' for url 'https://user:[secure]@example.org'\n"
         "For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500"
     )
 

tests/models/test_url.py

@@ -591,7 +591,7 @@ def test_url_copywith_authority_subcomponents():
     }
     url = httpx.URL("https://example.org")
     new = url.copy_with(**copy_with_kwargs)
-    assert str(new) == "https://username:password@example.net:444"
+    assert str(new) == "https://username:[secure]@example.net:444"
 
 
 def test_url_copywith_netloc():
@@ -610,7 +610,7 @@ def test_url_copywith_userinfo_subcomponents():
     }
     url = httpx.URL("https://example.org")
     new = url.copy_with(**copy_with_kwargs)
-    assert str(new) == "https://tom%40example.org:abc123%40%20%@example.org"
+    assert str(new) == "https://tom%40example.org:[secure]@example.org"
     assert new.username == "[email protected]"
     assert new.password == "abc123@ %"
     assert new.userinfo == b"tom%40example.org:abc123%40%20%"

tests/test_utils.py

@@ -65,6 +65,26 @@ def test_logging_request(server, caplog):
     ]
 
 
+def test_logging_request_with_auth(server, caplog):
+    caplog.set_level(logging.INFO)
+    with httpx.Client() as client:
+        credentials = {
+            "username": "user",
+            "password": "abc123%",
+        }
+        url = server.url.copy_with(**credentials)
+        response = client.get(url)
+        assert response.status_code == 200
+
+    assert caplog.record_tuples == [
+        (
+            "httpx",
+            logging.INFO,
+            'HTTP Request: GET http://user:[secure]@127.0.0.1:8000/ "HTTP/1.1 200 OK"',
+        )
+    ]
+
+
 def test_logging_redirect_chain(server, caplog):
     caplog.set_level(logging.INFO)
     with httpx.Client(follow_redirects=True) as client: