Skip to content

fix(python-sdk): percent-encode git credentials in clone URL#1503

Open
Osamaali313 wants to merge 1 commit into
e2b-dev:mainfrom
Osamaali313:fix/git-credentials-url-encode
Open

fix(python-sdk): percent-encode git credentials in clone URL#1503
Osamaali313 wants to merge 1 commit into
e2b-dev:mainfrom
Osamaali313:fix/git-credentials-url-encode

Conversation

@Osamaali313

Copy link
Copy Markdown

Problem

with_credentials (packages/python-sdk/e2b/sandbox/_git/auth.py) embeds the username and password into the Git URL raw:

netloc = f"{username}:{password}@{parsed.netloc}"

When the username/token contains URL-significant characters (@, /, :, space, …) the URL is malformed. A password p@ss produces https://user:p@ss@github.com/org/repo.git, which git parses with host ss@github.com and rejects:

fatal: unable to access '.../': URL rejected: Bad hostname

The JS SDK builds the URL via the URL username/password setters, which do percent-encode — so the two SDKs disagree and the Python one breaks on real-world tokens.

Reproduction

with_credentials("https://github.com/o/r.git", "user", "p@ss")https://user:p@ss@github.com/o/r.git (before) vs https://user:p%40ss@github.com/o/r.git (after, matching JS).

Reachable via Sandbox.git.clone(url, username=..., password=...) and git.dangerously_authenticate(...).

Fix

Percent-encode both credentials with urllib.parse.quote(..., safe=''). strip_credentials still round-trips the encoded URL back to the clean one.

Tests

Adds packages/python-sdk/tests/shared/git/test_auth.py (encoding of special chars, strip round-trip, no-credentials passthrough). Changeset included.

with_credentials embedded the username and password into the Git URL raw, so a username or token containing URL-significant characters (@, /, :, space, ...) produced a malformed URL — e.g. a password 'p@ss' yielded 'https://user:p@ss@host/...', which git parses with host 'ss@host' and rejects. The JS SDK percent-encodes via the URL username/password setters, so the two SDKs disagreed. Encode both with urllib.parse.quote(safe=''). Adds tests.
@Osamaali313 Osamaali313 requested a review from jakubno as a code owner June 29, 2026 19:48
Copilot AI review requested due to automatic review settings June 29, 2026 19:48
@cla-bot

cla-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

We require contributors to sign our Contributor License Agreement, and we don't have @Osamaali313 on file. You can sign our CLA at https://e2b.dev/docs/cla . Once you've signed, post a comment here that says '@cla-bot check'

@changeset-bot

changeset-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 16ab4a6

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@e2b/python-sdk Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@Osamaali313

Copy link
Copy Markdown
Author

@cla-bot check

@cla-bot cla-bot Bot added the cla-signed label Jun 29, 2026
@cla-bot

cla-bot Bot commented Jun 29, 2026

Copy link
Copy Markdown

The cla-bot has been summoned, and re-checked this pull request!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants