Thanks to visit codestin.com
Credit goes to github.com

Skip to content

mask download url when there is a password#815

Merged
shadowspawn merged 11 commits intotj:developfrom
jinxiao:master
Oct 3, 2024
Merged

mask download url when there is a password#815
shadowspawn merged 11 commits intotj:developfrom
jinxiao:master

Conversation

@jinxiao
Copy link
Contributor

@jinxiao jinxiao commented Sep 27, 2024
edited
Loading

Pull Request

mask download url when there is a password.

Problem

When I use export N_NODE_MIRROR with username and password, I found that the password is a plaintext which cause our security concern.

Solution

I introduce a new variable called masked_url, when called log or something want to output the url, can use this variable.

ChangeLog

@jinxiao
mask download url when there is a password
b3c0f69 
mask download url when there is a password. Introduce a new variable called masked_url, to implement this.
@shadowspawn
Copy link
Collaborator

shadowspawn commented Sep 27, 2024

I am open to this. There are quite a log of places an URL gets displayed. One place I am particularly aware of is in show_diagnostics, enough that I put in a warning Note: some output may contain passwords. Redact before sharing..

I suggest move the masking code into a function, say display_masked_url, so it can be used in more places.

@jinxiao
Copy link
Contributor Author

jinxiao commented Sep 28, 2024

I am open to this. There are quite a log of places an URL gets displayed. One place I am particularly aware of is in show_diagnostics, enough that I put in a warning Note: some output may contain passwords. Redact before sharing..

I suggest move the masking code into a function, say display_masked_url, so it can be used in more places.

Good idea, I have changed this. Could you please have a check? I also changed the download URL in diagnostics to avoid any password leakage.

@shadowspawn shadowspawn changed the base branch from master to develop September 29, 2024 19:49
shadowspawn
shadowspawn reviewed Sep 29, 2024
View reviewed changes
shadowspawn
shadowspawn reviewed Sep 29, 2024
View reviewed changes
@jinxiao @shadowspawn
change url variables with quotes
01141ba 
to get rid of passwords with special symbol

Co-authored-by: John Gee <[email protected]>
shadowspawn
shadowspawn reviewed Sep 30, 2024
View reviewed changes
shadowspawn
shadowspawn reviewed Sep 30, 2024
View reviewed changes
shadowspawn
shadowspawn reviewed Sep 30, 2024
View reviewed changes
shadowspawn
shadowspawn reviewed Sep 30, 2024
View reviewed changes
@shadowspawn
Copy link
Collaborator

shadowspawn commented Sep 30, 2024

The quotes are a bit tricky with the nesting!

@shadowspawn shadowspawn reopened this Sep 30, 2024
@shadowspawn
Copy link
Collaborator

shadowspawn commented Sep 30, 2024

(Closed by mistake.)

jinxiao and others added 4 commits October 1, 2024 04:21
@jinxiao @shadowspawn
Update bin/n
614eb03 
Co-authored-by: John Gee <[email protected]>
@jinxiao @shadowspawn
Update bin/n
0ce4c61 
Co-authored-by: John Gee <[email protected]>
@jinxiao @shadowspawn
Update bin/n
10a7c62 
Co-authored-by: John Gee <[email protected]>
@jinxiao @shadowspawn
Update bin/n
bccf3a9 
Co-authored-by: John Gee <[email protected]>
shadowspawn
shadowspawn reviewed Oct 2, 2024
View reviewed changes
shadowspawn
shadowspawn reviewed Oct 2, 2024
View reviewed changes
@shadowspawn
Copy link
Collaborator

shadowspawn commented Oct 2, 2024

I misunderstood a couple of the uses, so added suggestions to preserve the original style.

@shadowspawn
Copy link
Collaborator

shadowspawn commented Oct 2, 2024

I was worried about spaces in password, but now I remember username and password need to be url-encoded for robustness anyway: https://github.com/tj/n/blob/master/docs/proxy-server.md

However, adding the quotes around the variable expansions fixes warnings from shellcheck so I would have wanted the changes anyway.

jinxiao and others added 2 commits October 3, 2024 07:35
@jinxiao @shadowspawn
Update bin/n
6fd8ac6 
Co-authored-by: John Gee <[email protected]>
@jinxiao @shadowspawn
Update bin/n
aeaddf4 
Co-authored-by: John Gee <[email protected]>
@shadowspawn shadowspawn added the pending release Merged into a branch for a future release, but not released yet label Oct 3, 2024
@shadowspawn
Copy link
Collaborator

shadowspawn commented Oct 3, 2024

Thanks @jinxiao

@shadowspawn shadowspawn merged commit cf40ac5 into tj:develop Oct 3, 2024
@shadowspawn
Copy link
Collaborator

shadowspawn commented Nov 8, 2024

Released in v10.1.0

@shadowspawn shadowspawn removed the pending release Merged into a branch for a future release, but not released yet label May 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shadowspawn shadowspawn shadowspawn left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jinxiao @shadowspawn