fix: don't log username/password in binary mirror proxy URLs #1758
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
EverlastingBugstopper
force-pushed
the
avery/remove-auth-from-urls
branch
from
60d007d to
69128fd
Compare
aaronArinder
approved these changes
Oct 4, 2023
Merged
EverlastingBugstopper
added a commit
that referenced
this pull request
Oct 5, 2023
# [0.20.0] - 2023-10-05 ## 🚀 Features - **Persisted Queries is now GA - @glasser, #1756** The `rover persisted-queries publish` command is now out of the public preview phase and has entered general availability. Check out [the documentation](https://www.apollographql.com/docs/graphos/operations/persisted-queries) for this enterprise feature. ## 🐛 Fixes - **Better message for a subgraph published with no changes - @bonnici, #1757** `rover subgraph publish` now logs a message to `stdout` when a subgraph was published and there were no changes to the schema. - **Don't log username/password if `APOLLO_ROVER_DOWNLOAD_HOST` includes authentication in the URL - @EverlastingBugstopper, #1758** Previously, when using the `APOLLO_ROVER_DOWNLOAD_HOST` environment variable to override the download location of a plugin binary, Rover would log the entire URL to stdout, potentially leaking username and password authentication details if they were included in the URL. Now, Rover strips that information from the URLs before printing the download location. If Rover is not able to strip that information (likely due to an invalid URL), then it doesn't try to print the sanitized URL at all. ## 📚 Documentation - **Improve wording of persisted queries documentation - @Meschreiber, #1760**
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, when using the
APOLLO_ROVER_DOWNLOAD_HOSTenvironment variable to override the download location of a plugin binary, Rover would log the entire URL tostdout, potentially leakingusernameandpasswordauthentication details if they were included in the URL. Now, Rover strips that information from the URLs before printing the download location. If Rover is not able to strip that information (likely due to an invalid URL), then it doesn't try to print the sanitized URL at all, instead opting to continue onwards (likely towards an error sending a request to an invalid URL).