vcs: fix parsing of basic auth http(s) credentials

python-poetry · Nov 22, 2024 · 1833a5a · 1833a5a
1 parent 23ad2f7
commit 1833a5a
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 2 deletions.
diff --git a/src/poetry/core/vcs/git.py b/src/poetry/core/vcs/git.py
@@ -11,7 +11,10 @@
 
 
 PROTOCOL = r"\w+"
-USER = r"[a-zA-Z0-9_.-]+"
+# https://url.spec.whatwg.org/#forbidden-host-code-point
+URL_RESTRICTED = r"[^/\?#:@<>\[\]\|]"
+USER = rf"{URL_RESTRICTED}+"
+USER_AUTH_HTTP = rf"((?P<username>{USER})(:(?P<password>{URL_RESTRICTED}*))?)"
 RESOURCE = r"[a-zA-Z0-9_.-]+"
 PORT = r"\d+"
 PATH = r"[%\w~.\-\+/\\\$]+"
@@ -32,14 +35,24 @@
 PATTERNS = [
     re.compile(
         r"^(git\+)?"
-        r"(?P<protocol>https?|git|ssh|rsync|file)://"
+        r"(?P<protocol>git|ssh|rsync|file)://"
         rf"(?:(?P<user>{USER})@)?"
         rf"(?P<resource>{RESOURCE})?"
         rf"(:(?P<port>{PORT}))?"
         rf"(?P<pathname>[:/\\]({PATH}[/\\])?"
         rf"((?P<name>{NAME}?)(\.git|[/\\])?)?)"
         rf"{PATTERN_SUFFIX}"
     ),
+    re.compile(
+        r"^(git\+)?"
+        r"(?P<protocol>https?)://"
+        rf"(?:(?P<user>{USER_AUTH_HTTP})@)?"
+        rf"(?P<resource>{RESOURCE})?"
+        rf"(:(?P<port>{PORT}))?"
+        rf"(?P<pathname>[:/\\]({PATH}[/\\])?"
+        rf"((?P<name>{NAME}?)(\.git|[/\\])?)?)"
+        rf"{PATTERN_SUFFIX}"
+    ),
     re.compile(
         r"(git\+)?"
         rf"((?P<protocol>{PROTOCOL})://)"

diff --git a/tests/vcs/test_vcs.py b/tests/vcs/test_vcs.py
@@ -272,6 +272,42 @@ def test_normalize_url(url: str, normalized: GitUrl) -> None:
                 None,
             ),
         ),
+        (
+            "git+https://username:@github.com/sdispater/pendulum",
+            ParsedUrl(
+                "https",
+                "github.com",
+                "/sdispater/pendulum",
+                "username:",
+                None,
+                "pendulum",
+                None,
+            ),
+        ),
+        (
+            "git+https://username:[email protected]/sdispater/pendulum",
+            ParsedUrl(
+                "https",
+                "github.com",
+                "/sdispater/pendulum",
+                "username:password",
+                None,
+                "pendulum",
+                None,
+            ),
+        ),
+        (
+            "git+https://username+suffix:[email protected]/sdispater/pendulum",
+            ParsedUrl(
+                "https",
+                "github.com",
+                "/sdispater/pendulum",
+                "username+suffix:password",
+                None,
+                "pendulum",
+                None,
+            ),
+        ),
         (
             "git+https://github.com/sdispater/pendulum#7a018f2d075b03a73409e8356f9b29c9ad4ea2c5",
             ParsedUrl(