fix(python-sdk): percent-encode git credentials in with_credentials#1507
Open
anxkhn wants to merge 1 commit into
Open
fix(python-sdk): percent-encode git credentials in with_credentials#1507anxkhn wants to merge 1 commit into
anxkhn wants to merge 1 commit into
Conversation
git.clone and git.pull embed HTTP(S) credentials via with_credentials, which interpolated the username and password straight into the URL netloc. A user/token containing URL-reserved characters (@ : / # ?) produced a corrupted git URL and broke authentication. Percent-encode both parts with quote(safe=''), matching the JS SDK which already encodes via the WHATWG URL setters. Alphanumeric tokens are unchanged. Add offline unit tests for the Python helper and a JS parity test to lock the encoded output.
|
We require contributors to sign our Contributor License Agreement, and we don't have @anxkhn on file. You can sign our CLA at https://e2b.dev/docs/cla . Once you've signed, post a comment here that says '@cla-bot check' |
🦋 Changeset detectedLatest commit: 7bb977b The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
Author
|
@cla-bot check |
|
The cla-bot has been summoned, and re-checked this pull request! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Sandbox.git.cloneandSandbox.git.pullembed HTTP(S) credentials by passing themthrough
with_credentials(packages/python-sdk/e2b/sandbox/_git/auth.py), which builtthe URL netloc by raw string interpolation:
A username, password, or token that contains URL-reserved characters (
@ : / # ?) isspliced straight into the netloc, so the resulting URL is corrupted and git auth fails.
Common GitHub PATs are alphanumeric and unaffected, but GitLab/Bitbucket app passwords
and many tokens do contain reserved characters.
The JavaScript SDK does not have this problem:
withCredentials(
packages/js-sdk/src/sandbox/git/utils.ts) assignsparsed.username/parsed.passwordthrough the WHATWG
URLsetters, which percent-encode automatically. So the two SDKsdisagree on identical input.
p@ss/w:rduser:p@ss/w:rd@github.com/...user:p%40ss%2Fw%3Ard@github.com/...x#y?zuser:x#y?z@github.com/...user:x%23y%3Fz@github.com/...ghp_AbC123user:ghp_AbC123@...(ok)user:ghp_AbC123@...(unchanged)Fix
Percent-encode both parts with
quote(safe='')before building the netloc, matching theJS SDK byte-for-byte. Alphanumeric tokens are unchanged.
This is the only behavior change. Sync and async share this single helper, so both clone
and pull are fixed by the one-line edit.
Usage example (now works)
Tests
packages/python-sdk/tests/shared/git/test_auth.py(new, 5 offline cases): reservedchars encode, alphanumeric token unchanged, no-cred passthrough, partial creds raise,
non-http(s) raises. Runs without a sandbox (imports
e2b.sandbox._git).packages/js-sdk/tests/sandbox/git/validation.test.ts(+1 case): locks the JS encodedoutput so the two SDKs stay in parity.
Changeset:
@e2b/python-sdkpatch.