Skip to content

Commit 3515d36

Browse files
hsbtclaude
andcommitted
Verify embedded credentials are stripped from copied git origin
The existing copy_to specs only proved we avoid the credential-bearing configured URI. Add a case where the remote URI itself embeds a password so the credential_filtered_uri stripping is exercised directly. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 8401e5b commit 3515d36

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

spec/bundler/source/git/git_proxy_spec.rb

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,17 @@
124124
git_proxy.copy_to(destination)
125125
end
126126
end
127+
128+
context "when the remote URI embeds credentials" do
129+
let(:uri) { "https://user:secret@github.com/ruby/rubygems.git" }
130+
131+
it "strips the password before writing origin" do
132+
filtered_uri = "https://user@github.com/ruby/rubygems.git"
133+
expect(git_proxy).not_to receive(:capture).with(["remote", "set-url", "origin", uri], destination)
134+
expect(git_proxy).to receive(:capture).with(["remote", "set-url", "origin", filtered_uri], destination).and_return(["", "", clone_result])
135+
git_proxy.copy_to(destination)
136+
end
137+
end
127138
end
128139

129140
describe "#version" do

0 commit comments

Comments
 (0)