From 4347dc7ab33ea4c6657578d234fd986bbfb4e3bc Mon Sep 17 00:00:00 2001
From: Hisham Muhammad <hisham@gobolinux.org>
Date: Tue, 17 Mar 2015 19:37:33 -0300
Subject: Redact API URL to hide API key.

Problem pointed out by @ignacio in #273.
---
 src/luarocks/upload/api.lua | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/luarocks/upload/api.lua b/src/luarocks/upload/api.lua
index fd476968..ec6ef3bb 100644
--- a/src/luarocks/upload/api.lua
+++ b/src/luarocks/upload/api.lua
@@ -119,6 +119,11 @@ end
 local ltn12_ok, ltn12 = pcall(require, "ltn12")
 if not ltn12_ok then -- If not using LuaSocket and/or LuaSec...
 
+local function redact_api_url(url)
+   url = tostring(url)
+   return (url:gsub(".*/api/[^/]+/[^/]+", ""))
+end
+
 function Api:request(url, params, post_params)
    local vars = cfg.variables
    local json_ok, json = require_json()
@@ -157,26 +162,26 @@ function Api:request(url, params, post_params)
       end
       local ok = fs.execute_string(curl_cmd..fs.Q(url).." -o "..fs.Q(tmpfile))
       if not ok then
-         return nil, "API failure: " .. tostring(url)
+         return nil, "API failure: " .. redact_api_url(url)
       end
    else
       local ok, err = fs.download(url, tmpfile)
       if not ok then
-         return nil, "API failure: " .. tostring(err) .. " - " .. tostring(url)
+         return nil, "API failure: " .. tostring(err) .. " - " .. redact_api_url(url)
       end
    end
 
    local tmpfd = io.open(tmpfile)
    if not tmpfd then
       os.remove(tmpfile)
-      return nil, "API failure reading temporary file - " .. tostring(url)
+      return nil, "API failure reading temporary file - " .. redact_api_url(url)
    end
    out = tmpfd:read("*a")
    tmpfd:close()
    os.remove(tmpfile)
 
    if self.debug then
-      util.printout("[" .. tostring(method) .. " via curl] " .. tostring(url) .. " ... ")
+      util.printout("[" .. tostring(method) .. " via curl] " .. redact_api_url(url) .. " ... ")
    end
 
    return json.decode(out)
@@ -229,7 +234,7 @@ function Api:request(url, params, post_params)
    end
    local method = post_params and "POST" or "GET"
    if self.debug then
-      util.printout("[" .. tostring(method) .. " via "..via.."] " .. tostring(url) .. " ... ")
+      util.printout("[" .. tostring(method) .. " via "..via.."] " .. redact_api_url(url) .. " ... ")
    end
    local out = {}
    local _, status = http.request({
@@ -243,7 +248,7 @@ function Api:request(url, params, post_params)
       util.printout(tostring(status))
    end
    if status ~= 200 then
-      return nil, "API returned " .. tostring(status) .. " - " .. tostring(url)
+      return nil, "API returned " .. tostring(status) .. " - " .. redact_api_url(url)
    end
    return json.decode(table.concat(out))
 end
-- 
cgit v1.2.3-55-g6feb