Credential leaks in about.json when sending HTTP credentials via CLI

[dillon-cullinan]

Version: rattler-build 0.41.0 h159367c_0 conda-forge

Example command:

rattler-build build \
    --recipe conda/recipes/my-package/recipe.yaml \
    --channel https://${USERNAME}:${PASSWORD}@mydomain.com/conda/my-channel \
    --channel conda-forge \
    --output-dir ~/output

The resultant package will contain a file under info/about.json after extraction that looks like this:

{
  "channels": [
    "https://<PLAINT_TEXT_USERNAME>:<PLAIN_TEXT_PASSWORD>@mydomain.com/conda/my-channel",
    "conda-forge"
  ],
  [...]
}

Of course, this can be avoided by using rattler-build auth instead of authenticating via the --channel argument, but I believe there should be a level of sanitization done.

[wolfv]

Yes, that is definitely a high priority bug. Thank you for spotting this!

[pavelzw]

why are you not running rattler-build auth login --username ${USERNAME} --password ${PASSWORD} mydomain.com?