feat: add std::fmt::Display to Url type.

Byron · Byron · commit ebca00abeb85 · 2024-01-03T07:58:30.000+01:00
That way it's possible to have a more safe display implementation
that tries to not spill obvious secrets, like the password of a
URL.
diff --git a/gix-url/src/impls.rs b/gix-url/src/impls.rs
@@ -78,3 +78,17 @@ impl<'a> TryFrom<std::borrow::Cow<'a, BStr>> for Url {
         Self::try_from(&*value)
     }
 }
+
+impl std::fmt::Display for Url {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut storage;
+        let to_print = if self.password.is_some() {
+            storage = self.clone();
+            storage.password = Some("<redacted>".into());
+            &storage
+        } else {
+            self
+        };
+        to_print.to_bstring().fmt(f)
+    }
+}
diff --git a/gix-url/src/lib.rs b/gix-url/src/lib.rs
@@ -55,13 +55,17 @@ pub fn expand_path(user: Option<&expand_path::ForUser>, path: &BStr) -> Result<P
 
 /// A URL with support for specialized git related capabilities.
 ///
-/// Additionally there is support for [deserialization](Url::from_bytes()) and serialization
-/// (_see the [`std::fmt::Display::fmt()`] implementation_).
+/// Additionally there is support for [deserialization](Url::from_bytes()) and [serialization](Url::to_bstring()).
 ///
 /// # Security Warning
 ///
-/// URLs may contain passwords and we serialize them when [formatting](std::fmt::Display) or
-/// [serializing losslessly](Url::to_bstring()).
+/// URLs may contain passwords and using standard [formatting](std::fmt::Display) will redact
+/// such password, whereas [lossless serialization](Url::to_bstring()) will contain all parts of the
+/// URL.
+/// **Beware that some URls still print secrets if they use them outside of the designated password fields.**
+///
+/// Also note that URLs that fail to parse are typically stored in [the resulting error](parse::Error) type
+/// and printed in full using its display implementation.
 #[derive(PartialEq, Eq, Debug, Hash, Ord, PartialOrd, Clone)]
 #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
 pub struct Url {
diff --git a/gix-url/tests/access/mod.rs b/gix-url/tests/access/mod.rs
@@ -71,3 +71,23 @@ fn path_argument_safe() -> crate::Result {
     assert_eq!(url.path_argument_safe(), None);
     Ok(())
 }
+
+#[test]
+fn display() {
+    fn compare(input: &str, expected: &str, message: &str) {
+        let url = gix_url::parse(input.into()).expect("input is valid url");
+        assert_eq!(format!("{url}"), expected, "{message}");
+    }
+
+    compare(
+        "ssh://foo/-oProxyCommand=open$IFS-aCalculator",
+        "ssh://foo/-oProxyCommand=open$IFS-aCalculator",
+        "it round-trips with sane unicode and without password",
+    );
+    compare("/path/to/repo", "/path/to/repo", "same goes for simple paths");
+    compare(
+        "https://user:password@host/path",
+        "https://user:<redacted>@host/path",
+        "it visibly redacts passwords though",
+    );
+}
