Replace password in URI by stars if present + test

2 files changed, 18 insertions, 1 deletions

diff --git a/git/repo/base.py b/git/repo/base.py
index 8f1ef0a6..44e3f859 100644
--- a/git/repo/base.py
+++ b/git/repo/base.py
@@ -969,7 +969,13 @@ class Repo(object):
             handle_process_output(proc, None, progress.new_message_handler(), finalize_process, decode_streams=False)
         else:
             (stdout, stderr) = proc.communicate()
-            log.debug("Cmd(%s)'s unused stdout: %s", getattr(proc, 'args', ''), stdout)
+            cmdline = getattr(proc, 'args', '')
+            uri = cmdline[-2]
+            if "://" in uri and "@" in uri:
+                cred = uri.split("://")[1].split("@")[0].split(":")
+                if len(cred) == 2:
+                    cmdline[-2] = uri.replace(cred[1], "******")
+            log.debug("Cmd(%s)'s unused stdout: %s", cmdline, stdout)
             finalize_process(proc, stderr=stderr)
 
         # our git command could have a different working dir than our actual
diff --git a/test/test_repo.py b/test/test_repo.py
index d5ea8664..30e4f2cb 100644
--- a/test/test_repo.py
+++ b/test/test_repo.py
@@ -238,6 +238,17 @@ class TestRepo(TestBase):
             except UnicodeEncodeError:
                 self.fail('Raised UnicodeEncodeError')
 
+    @with_rw_directory
+    def test_leaking_password_in_clone_logs(self, rw_dir):
+        """Check that the password is not printed on the logs"""
+        password = "fakepassword1234"
+        try:
+            Repo.clone_from(
+                url=f"https://fakeuser:{password}@fakerepo.example.com/testrepo",
+                to_path=rw_dir)
+        except GitCommandError as err:
+            assert password not in str(err)
+
     @with_rw_repo('HEAD')
     def test_max_chunk_size(self, repo):
         class TestOutputStream(TestBase):