Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to set --index_url without leaking password on error #2202

Open
aaron-michaux opened this issue Sep 7, 2024 · 6 comments
Open

No way to set --index_url without leaking password on error #2202

aaron-michaux opened this issue Sep 7, 2024 · 6 comments

Comments

@aaron-michaux
Copy link

🐞 bug report

Affected Rule

pip_parse(
    ...
    envsubst = ["PIP_INDEX_URL"],
    extra_pip_args = ["--index-url", "${PIP_INDEX_URL}"],
)

Is this a regression?

No

Description

We have an "index-url" that uses secure credentials. We do not want those credentials to leak into error logs when there's a pip error. However, the combo of setting envsubst and extra_pip_args precisely does this.

(We cannot use bzlmod, so we cannot use the bazel http downloader for python pip.)

🔬 Minimal Reproduction

Any pip_parse rule that errors will print the extra_pip_args.

Note that pip itself is smart enough to ***** out the password on PIP_INDEX_URL.

🔥 Exception or Error


command: ..../bin/python3 -m python.private.pypi.whl_installer.wheel_installer --requirement "..." --extra_pip_args "{\"arg\": [https://username:PASSWORD@someurl/simpl]}" ...

🌍 Your Environment

Operating System:

  
Linux

Output of bazel version:

  
Bazelisk version: v1.20.0
Build label: 6.3.2
Build target: .../BazelServer_deploy.jar
...

Rules_python version:

  
0.35.0

Anything else relevant?

=)
@aignas
Copy link
Collaborator

aignas commented Sep 8, 2024

Wolud using the bazel downloader as described in the docs work for you in this case? It should hopefully not leak the credentials upon failures, but it is only supported in bzlmod.

@aaron-michaux
Copy link
Author

Alas, we cannot use bzlmod because of complicated dependencies. Maybe in a few years we could.

@aignas
Copy link
Collaborator

aignas commented Sep 9, 2024

bzlmod usage can be incremental - i.e. you could use bzlmod for rules_python but WORKSPACE for the rest. But you know better here.

I thought that when you use the envsubst feature you don't need to specify the --index-url manually anymore? Maybe I am misremembering that part...

@aaron-michaux
Copy link
Author

I tried envsubst without extra_pip_args (i.e., -index-url), however that doesn't work. The docs say that envsubst allows env-variable substitution in extra_pip_args arguments. That is, it allows you to use ["--index-url", "${PIP_INDEX_URL}"], such that PIP_INDEX_URL is read from the environment.

@aignas
Copy link
Collaborator

aignas commented Sep 11, 2024

Have you also tried https://rules-python.readthedocs.io/en/latest/api/rules_python/python/extensions/pip.html#pip.parse.environment?

@aaron-michaux
Copy link
Author

Wouldn't that imply that the password is stored plain text in a WORKSPACE or .bzl file? And checked into git? How would different users have different passwords?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aignas @aaron-michaux