Skip to content

fix(python-sdk): percent-encode git credentials in with_credentials#1507

Open
anxkhn wants to merge 1 commit into
e2b-dev:mainfrom
anxkhn:loop/e2b__002
Open

fix(python-sdk): percent-encode git credentials in with_credentials#1507
anxkhn wants to merge 1 commit into
e2b-dev:mainfrom
anxkhn:loop/e2b__002

Conversation

@anxkhn

@anxkhn anxkhn commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

What

Sandbox.git.clone and Sandbox.git.pull embed HTTP(S) credentials by passing them
through with_credentials (packages/python-sdk/e2b/sandbox/_git/auth.py), which built
the URL netloc by raw string interpolation:

netloc = f"{username}:{password}@{parsed.netloc}"

A username, password, or token that contains URL-reserved characters (@ : / # ?) is
spliced straight into the netloc, so the resulting URL is corrupted and git auth fails.
Common GitHub PATs are alphanumeric and unaffected, but GitLab/Bitbucket app passwords
and many tokens do contain reserved characters.

The JavaScript SDK does not have this problem: withCredentials
(packages/js-sdk/src/sandbox/git/utils.ts) assigns parsed.username / parsed.password
through the WHATWG URL setters, which percent-encode automatically. So the two SDKs
disagree on identical input.

password Python (before) JS / Python (after)
p@ss/w:rd user:p@ss/w:rd@github.com/... user:p%40ss%2Fw%3Ard@github.com/...
x#y?z user:x#y?z@github.com/... user:x%23y%3Fz@github.com/...
ghp_AbC123 user:ghp_AbC123@... (ok) user:ghp_AbC123@... (unchanged)

Fix

Percent-encode both parts with quote(safe='') before building the netloc, matching the
JS SDK byte-for-byte. Alphanumeric tokens are unchanged.

netloc = f"{quote(username, safe='')}:{quote(password, safe='')}@{parsed.netloc}"

This is the only behavior change. Sync and async share this single helper, so both clone
and pull are fixed by the one-line edit.

Usage example (now works)

from e2b import Sandbox

sbx = Sandbox()
# token with reserved characters no longer corrupts the URL
sbx.git.clone(
    "https://github.com/org/private.git",
    username="user",
    password="p@ss/w:rd",
)

Tests

  • packages/python-sdk/tests/shared/git/test_auth.py (new, 5 offline cases): reserved
    chars encode, alphanumeric token unchanged, no-cred passthrough, partial creds raise,
    non-http(s) raises. Runs without a sandbox (imports e2b.sandbox._git).
  • packages/js-sdk/tests/sandbox/git/validation.test.ts (+1 case): locks the JS encoded
    output so the two SDKs stay in parity.

Changeset: @e2b/python-sdk patch.

git.clone and git.pull embed HTTP(S) credentials via with_credentials,
which interpolated the username and password straight into the URL netloc.
A user/token containing URL-reserved characters (@ : / # ?) produced a
corrupted git URL and broke authentication.

Percent-encode both parts with quote(safe=''), matching the JS SDK which
already encodes via the WHATWG URL setters. Alphanumeric tokens are
unchanged. Add offline unit tests for the Python helper and a JS parity
test to lock the encoded output.
@cla-bot

cla-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

We require contributors to sign our Contributor License Agreement, and we don't have @anxkhn on file. You can sign our CLA at https://e2b.dev/docs/cla . Once you've signed, post a comment here that says '@cla-bot check'

@changeset-bot

changeset-bot Bot commented Jun 30, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 7bb977b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@e2b/python-sdk Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@anxkhn

anxkhn commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

@cla-bot check

@cla-bot cla-bot Bot added the cla-signed label Jul 1, 2026
@cla-bot

cla-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown

The cla-bot has been summoned, and re-checked this pull request!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant