From 3a89a7b381707879507f9bc5e3d6e8d8222d1e54 Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Mon, 5 Oct 2020 12:58:46 +0300
Subject: db: mask password component of printed URLs

fixes #10710

(cherry picked from commit 6cedfe27ac566e7de7d0c24778c4280e8311bbec)
---
 src/apk_print.h | 12 ++++++++++++
 src/database.c  | 31 +++++++++++++++++++------------
 src/print.c     | 24 ++++++++++++++++++++++++
 3 files changed, 55 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/apk_print.h b/src/apk_print.h
index 841107d..962ff69 100644
--- a/src/apk_print.h
+++ b/src/apk_print.h
@@ -14,6 +14,18 @@
 
 #include "apk_blob.h"
 
+struct apk_url_print {
+	const char *url;
+	const char *pwmask;
+	const char *url_or_host;
+	size_t len_before_pw;
+};
+
+void apk_url_parse(struct apk_url_print *, const char *);
+
+#define URL_FMT			"%.*s%s%s"
+#define URL_PRINTF(u)		u.len_before_pw, u.url, u.pwmask, u.url_or_host
+
 #define apk_error(args...)	do { apk_log_err("ERROR: ", args); } while (0)
 #define apk_warning(args...)	do { if (apk_verbosity > 0) { apk_log_err("WARNING: ", args); } } while (0)
 #define apk_message(args...)	do { if (apk_verbosity > 0) { apk_log(NULL, args); } } while (0)
diff --git a/src/database.c b/src/database.c
index 0f23284..d9aadc6 100644
--- a/src/database.c
+++ b/src/database.c
@@ -581,14 +581,15 @@ int apk_repo_format_cache_index(apk_blob_t to, struct apk_repository *repo)
 	return 0;
 }
 
-int apk_repo_format_real_url(struct apk_database *db, struct apk_repository *repo,
-			     struct apk_package *pkg, char *buf, size_t len)
+int apk_repo_format_real_url(apk_blob_t *default_arch, struct apk_repository *repo,
+			     struct apk_package *pkg, char *buf, size_t len,
+			     struct apk_url_print *urlp)
 {
 	apk_blob_t arch;
 	int r;
 
 	if (pkg && pkg->arch) arch = *pkg->arch;
-	else arch = *db->arch;
+	else arch = *default_arch;
 
 	if (pkg != NULL)
 		r = snprintf(buf, len, "%s%s" BLOB_FMT "/"  PKG_FILE_FMT,
@@ -600,6 +601,8 @@ int apk_repo_format_real_url(struct apk_database *db, struct apk_repository *rep
 			     BLOB_PRINTF(arch), apkindex_tar_gz);
 	if (r >= len)
 		return -ENOBUFS;
+
+	if (urlp) apk_url_parse(urlp, buf);
 	return 0;
 }
 
@@ -611,7 +614,7 @@ int apk_repo_format_item(struct apk_database *db, struct apk_repository *repo, s
 		return apk_pkg_format_cache_pkg(APK_BLOB_PTR_LEN(buf, len), pkg);
 	} else {
 		*fd = AT_FDCWD;
-		return apk_repo_format_real_url(db, repo, pkg, buf, len);
+		return apk_repo_format_real_url(db->arch, repo, pkg, buf, len, 0);
 	}
 }
 
@@ -620,6 +623,7 @@ int apk_cache_download(struct apk_database *db, struct apk_repository *repo,
 		       apk_progress_cb cb, void *cb_ctx)
 {
 	struct stat st = {0};
+	struct apk_url_print urlp;
 	struct apk_istream *is;
 	struct apk_bstream *bs;
 	struct apk_sign_ctx sctx;
@@ -636,7 +640,7 @@ int apk_cache_download(struct apk_database *db, struct apk_repository *repo,
 		r = apk_repo_format_cache_index(b, repo);
 	if (r < 0) return r;
 
-	r = apk_repo_format_real_url(db, repo, pkg, url, sizeof(url));
+	r = apk_repo_format_real_url(db->arch, repo, pkg, url, sizeof(url), &urlp);
 	if (r < 0) return r;
 
 	if (autoupdate && !(apk_force & APK_FORCE_REFRESH)) {
@@ -644,8 +648,7 @@ int apk_cache_download(struct apk_database *db, struct apk_repository *repo,
 		    now - st.st_mtime <= db->cache_max_age)
 			return -EALREADY;
 	}
-
-	apk_message("fetch %s", url);
+	apk_message("fetch " URL_FMT, URL_PRINTF(urlp));
 
 	if (apk_flags & APK_SIMULATE) return 0;
 	if (cb) cb(cb_ctx, 0);
@@ -2143,12 +2146,14 @@ struct apk_repository *apk_db_select_repo(struct apk_database *db,
 
 static int apk_repository_update(struct apk_database *db, struct apk_repository *repo)
 {
+	struct apk_url_print urlp;
 	int r, verify = (apk_flags & APK_ALLOW_UNTRUSTED) ? APK_SIGN_NONE : APK_SIGN_VERIFY;
 
 	r = apk_cache_download(db, repo, NULL, verify, 1, NULL, NULL);
 	if (r == -EALREADY) return 0;
 	if (r != 0) {
-		apk_error("%s: %s", repo->url, apk_error_str(r));
+		apk_url_parse(&urlp, repo->url);
+		apk_error(URL_FMT ": %s", URL_PRINTF(urlp), apk_error_str(r));
 		db->repo_update_errors++;
 	} else {
 		db->repo_update_counter++;
@@ -2238,6 +2243,7 @@ int apk_db_add_repository(apk_database_t _db, apk_blob_t _repository)
 	struct apk_database *db = _db.db;
 	struct apk_bstream *bs = NULL;
 	struct apk_repository *repo;
+	struct apk_url_print urlp;
 	apk_blob_t brepo, btag;
 	int repo_num, r, targz = 1, tag_id = 0;
 	char buf[PATH_MAX], *url;
@@ -2280,8 +2286,8 @@ int apk_db_add_repository(apk_database_t _db, apk_blob_t _repository)
 		if (!(apk_flags & APK_NO_NETWORK))
 			db->available_repos |= BIT(repo_num);
 		if (apk_flags & APK_NO_CACHE) {
-			r = apk_repo_format_real_url(db, repo, NULL, buf, sizeof(buf));
-			if (r == 0) apk_message("fetch %s", buf);
+			r = apk_repo_format_real_url(db->arch, repo, NULL, buf, sizeof(buf), &urlp);
+			if (r == 0) apk_message("fetch " URL_FMT, URL_PRINTF(urlp));
 		} else {
 			if (db->autoupdate) apk_repository_update(db, repo);
 			r = apk_repo_format_cache_index(APK_BLOB_BUF(buf), repo);
@@ -2289,7 +2295,7 @@ int apk_db_add_repository(apk_database_t _db, apk_blob_t _repository)
 	} else {
 		db->local_repos |= BIT(repo_num);
 		db->available_repos |= BIT(repo_num);
-		r = apk_repo_format_real_url(db, repo, NULL, buf, sizeof(buf));
+		r = apk_repo_format_real_url(db->arch, repo, NULL, buf, sizeof(buf), &urlp);
 	}
 	if (r == 0) {
 		bs = apk_bstream_from_fd_url(db->cache_fd, buf);
@@ -2300,7 +2306,8 @@ int apk_db_add_repository(apk_database_t _db, apk_blob_t _repository)
 	}
 
 	if (r != 0) {
-		apk_warning("Ignoring %s: %s", buf, apk_error_str(r));
+		apk_url_parse(&urlp, repo->url);
+		apk_warning("Ignoring " URL_FMT ": %s", URL_PRINTF(urlp), apk_error_str(r));
 		db->available_repos &= ~BIT(repo_num);
 		r = 0;
 	} else {
diff --git a/src/print.c b/src/print.c
index b8f622f..c2198fc 100644
--- a/src/print.c
+++ b/src/print.c
@@ -195,3 +195,27 @@ void apk_log_err(const char *prefix, const char *format, ...)
 	log_internal(stderr, prefix, format, va);
 	va_end(va);
 }
+
+void apk_url_parse(struct apk_url_print *urlp, const char *url)
+{
+	const char *authority, *path_or_host, *pw;
+
+	*urlp = (struct apk_url_print) {
+		.url = "",
+		.pwmask = "",
+		.url_or_host = url,
+	};
+
+	if (!(authority = strstr(url, "://"))) return;
+	authority += 3;
+	path_or_host = strpbrk(authority, "/@");
+	if (!path_or_host || *path_or_host == '/') return;
+	pw = strpbrk(authority, "@:");
+	if (!pw || *pw == '@') return;
+	*urlp = (struct apk_url_print) {
+		.url = url,
+		.pwmask = "*",
+		.url_or_host = path_or_host,
+		.len_before_pw = pw - url + 1,
+	};
+}
-- 
cgit v1.2.3-70-g09d2