Mask passwords in URLs when converting to a string

Author: zanderxyz

httpx/_urls.py

@@ -371,33 +371,36 @@ def __hash__(self) -> int:
     def __eq__(self, other: typing.Any) -> bool:
         return isinstance(other, (URL, str)) and str(self) == str(URL(other))
 
-    def __str__(self) -> str:
-        return str(self._uri_reference)
-
-    def __repr__(self) -> str:
-        scheme, userinfo, host, port, path, query, fragment = self._uri_reference
-
-        if ":" in userinfo:
-            # Mask any password component.
-            userinfo = f'{userinfo.split(":")[0]}:[secure]'
+    def _get_url_string(self) -> str:
+        scheme, _userinfo, host, port, path, query, fragment = self._uri_reference
+        # Do not use the userinfo at all
+        # Basic auth credentials are passed as a header and do not need to be in the URL
 
         authority = "".join(
             [
-                f"{userinfo}@" if userinfo else "",
                 f"[{host}]" if ":" in host else host,
                 f":{port}" if port is not None else "",
             ]
         )
+
         url = "".join(
             [
-                f"{self.scheme}:" if scheme else "",
+                f"{scheme}:" if scheme else "",
                 f"//{authority}" if authority else "",
                 path,
                 f"?{query}" if query is not None else "",
                 f"#{fragment}" if fragment is not None else "",
             ]
         )
 
+        return url
+
+    def __str__(self) -> str:
+        # Always use this URL string to avoid inadvertently leaking credentials
+        return self._get_url_string()
+
+    def __repr__(self) -> str:
+        url = self._get_url_string()
         return f"{self.__class__.__name__}({url!r})"
 
     @property

tests/client/test_auth.py

@@ -302,7 +302,7 @@ async def test_auth_disable_per_request() -> None:
 
 def test_auth_hidden_url() -> None:
     url = "http://example-username:[email protected]/"
-    expected = "URL('http://example-username:[secure]@example.org/')"
+    expected = "URL('http://example.org/')"
     assert url == httpx.URL(url)
     assert expected == repr(httpx.URL(url))
 

tests/models/test_responses.py

@@ -89,7 +89,8 @@ def test_response_json():
 
 
 def test_raise_for_status():
-    request = httpx.Request("GET", "https://example.org")
+    # The credentials here should be removed from all exception strings below
+    request = httpx.Request("GET", "https://user:[email protected]")
 
     # 2xx status codes are not an error.
     response = httpx.Response(200, request=request)

tests/models/test_url.py

@@ -591,7 +591,7 @@ def test_url_copywith_authority_subcomponents():
     }
     url = httpx.URL("https://example.org")
     new = url.copy_with(**copy_with_kwargs)
-    assert str(new) == "https://username:password@example.net:444"
+    assert str(new) == "https://example.net:444"
 
 
 def test_url_copywith_netloc():
@@ -610,7 +610,7 @@ def test_url_copywith_userinfo_subcomponents():
     }
     url = httpx.URL("https://example.org")
     new = url.copy_with(**copy_with_kwargs)
-    assert str(new) == "https://tom%40example.org:abc123%40%20%@example.org"
+    assert str(new) == "https://example.org"
     assert new.username == "[email protected]"
     assert new.password == "abc123@ %"
     assert new.userinfo == b"tom%40example.org:abc123%40%20%"

tests/test_utils.py

@@ -65,6 +65,26 @@ def test_logging_request(server, caplog):
     ]
 
 
+def test_logging_request_with_auth(server, caplog):
+    caplog.set_level(logging.INFO)
+    with httpx.Client() as client:
+        credentials = {
+            "username": "user",
+            "password": "abc123%",
+        }
+        url = server.url.copy_with(**credentials)
+        response = client.get(url)
+        assert response.status_code == 200
+
+    assert caplog.record_tuples == [
+        (
+            "httpx",
+            logging.INFO,
+            'HTTP Request: GET http://127.0.0.1:8000/ "HTTP/1.1 200 OK"',
+        )
+    ]
+
+
 def test_logging_redirect_chain(server, caplog):
     caplog.set_level(logging.INFO)
     with httpx.Client(follow_redirects=True) as client: