Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

pipenv injects secrets into Pipfile and lock file

See original GitHub issue

Issue description

When running pipenv in an environment which has a PIP_INDEX_URL environment variable defined, and that env var contains credentials to use when authenticating to the package index server, those credentials are injected as plain-text into the Pipfile and Pipefile.lock files.

Expected result

pipenv should not inject index URLs containing credentials verbatim into the config file.

Actual result

pipenv does inject index URLs containing credentials into the config file.

Steps to replicate

We work behind a firewall with a mirror of the global PyPI repository in our lab. This mirror requires authentication to access. To make this work properly / easily with pip we generally expect users to define a custom PIP_INDEX_URL containing the users’ credentials along with the URL for the mirror.

Further, when using pipenv to create a new environment or install a package (ie: pipenv install requests), we end up getting a Pipfile that looks something like this:

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
requests = {index = "https://<credentials>@<server_url>/pypi/pypi-virtual/simple",version = "*"}

[requires]
python_version = "3.7"

I debated whether this should be reported as a “bug” or perhaps just a feature request to have this behavior changed, however given the severity of the impact of this default behavior I thought it was better suited as a bug. The tools should never inject secrets into files that may be commited to version control and this behavior could be very easily overlooked by users of the tool, which makes me very hesitant to roll out this tool for widespread use on my team.

$ pipenv --support

Pipenv version: '2018.11.26'

Pipenv location: '/usr/local/lib/python3.7/site-packages/pipenv'

Python location: '/usr/local/opt/python/bin/python3.7'

Python installations found:

3.7.2: /usr/local/bin/python3
3.7.2: /usr/local/bin/python3.7m
3.6.1: /usr/local/bin/pypy3
3.5.2: /usr/local/bin/python3.5m
3.5.2: /usr/local/bin/python3.5
2.7.16: /usr/local/bin/python
2.7.16: /usr/local/bin/pythonw
2.7.13: /usr/local/bin/pypy
2.7.10: /usr/bin/python
2.7.10: /usr/bin/pythonw
2.7.10: /usr/bin/python2.7

PEP 508 Information:

{'implementation_name': 'cpython',
 'implementation_version': '3.7.2',
 'os_name': 'posix',
 'platform_machine': 'x86_64',
 'platform_python_implementation': 'CPython',
 'platform_release': '18.5.0',
 'platform_system': 'Darwin',
 'platform_version': 'Darwin Kernel Version 18.5.0: Mon Mar 11 20:40:32 PDT '
                     '2019; root:xnu-4903.251.3~3/RELEASE_X86_64',
 'python_full_version': '3.7.2',
 'python_version': '3.7',
 'sys_platform': 'darwin'}

System environment variables:

JENKINS_KEY
TERM_PROGRAM
TERM
SHELL
TMPDIR
Apple_PubSub_Socket_Render
VAULT_ADDR
TERM_PROGRAM_VERSION
PIP_INDEX_URL
OLDPWD
TERM_SESSION_ID
SDKMAN_PLATFORM
OBJC_DISABLE_INITIALIZE_FORK_SAFETY
USER
SDKMAN_CANDIDATES_API
PIP_INDEX_URL2
GITLAB_API_TOKEN
SSH_AUTH_SOCK
ART_KEY
LSCOLORS
PATH
PWD
JAVA_HOME
LANG
SDKMAN_VERSION
XPC_FLAGS
PS1
XPC_SERVICE_NAME
HOME
SHLVL
LOGNAME
SDKMAN_DIR
GROOVY_HOME
SDKMAN_CANDIDATES_DIR
JENKINS_SANDBOX_KEY
DISPLAY
_
__CF_USER_TEXT_ENCODING
PIP_DISABLE_PIP_VERSION_CHECK
PYTHONDONTWRITEBYTECODE
PIP_SHIMS_BASE_MODULE
PIP_PYTHON_PATH
PYTHONFINDER_IGNORE_UNSUPPORTED

Pipenv–specific environment variables:

Debug–specific environment variables:

PATH: /usr/X11R6/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/go/bin:/opt/X11/bin:~/Documents/node_modules/.bin
SHELL: /bin/bash
LANG: en_CA.UTF-8
PWD: *******

Contents of Pipfile (‘******/Pipfile’):

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]

[packages]
requests = {index = "https://<credentials>@<server_url>/pypi/pypi-virtual/simple",version = "*"}

[requires]
python_version = "3.7"

Contents of Pipfile.lock (‘*****/Pipfile.lock’):

{
    "_meta": {
        "hash": {
            "sha256": "343de2d326ba044580f1fbb17c5ecdf44c9002aa99934966d44a6ef43585c754"
        },
        "pipfile-spec": 6,
        "requires": {
            "python_version": "3.7"
        },
        "sources": [
            {
                "name": "pypi",
                "url": "https://pypi.org/simple",
                "verify_ssl": true
            }
        ]
    },
    "default": {
        "certifi": {
            "hashes": [
                "sha256:59b7658e26ca9c7339e00f8f4636cdfe59d34fa37b9b04f6f9e9926b3cece1a5",
                "sha256:b26104d6835d1f5e49452a26eb2ff87fe7090b89dfcaee5ea2212697e1e1d7ae"
            ],
            "version": "==2019.3.9"
        },
        "chardet": {
            "hashes": [
                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
            ],
            "version": "==3.0.4"
        },
        "idna": {
            "hashes": [
                "sha256:c357b3f628cf53ae2c4c05627ecc484553142ca23264e593d327bcde5e9c3407",
                "sha256:ea8b7f6188e6fa117537c3df7da9fc686d485087abf6ac197f9c46432f7e4a3c"
            ],
            "version": "==2.8"
        },
        "requests": {
            "hashes": [
                "sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4",
                "sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31"
            ],
            "version": "==2.22.0"
        },
        "urllib3": {
            "hashes": [
                "sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db",
                "sha256:d363e3607d8de0c220d31950a8f38b18d5ba7c0830facd71a1c6b1036b7ce06c"
            ],
            "version": "==1.25.2"
        }
    },
    "develop": {}
}

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:12 (3 by maintainers)

Top GitHub Comments

1reaction

TheFriendlyCodercommented, May 23, 2019

Building upon my earlier comments, perhaps one easy solution for this problem could be to simply respect the use of the enviroment variable expansion in this case, and to preserve the Pipfile contents even when the PIP_INDEX_URL env var is found.

To put this another way, if I rename the PIP_INDEX_URL env var to PIP_INDEX_URL2, update the Pipfile to reflect the change, and re-run my test command, I get the expected behavior. Here is a sample Pipfile to illustrate what I mean:

name = "pypi"
url = "${PIP_INDEX_URL2}"
verify_ssl = true

[dev-packages]

[packages]
requests = {index = "pypi",version = "*"}

[requires]
python_version = "3.7"

With this Pipfile, I can run PIP_INDEX_URL2=$PIP_INDEX_URL && unset PIP_INDEX_URL && pipenv install requests and I get the desired results. The package is installed from the PyPI index url provided by PIP_INDEX_URL2, and the Pipfile remains unaffected by the install operation.

NOTE: This is not a scalable solution for general use, however. Our team manages dozens of Python libraries and applications, not all of which would be using pipenv. For those that do not we would still need the PIP_INDEX_URL env var defined so the traditional package tools continue to work. Further, it would not be practical or safe for us to continually define and undefine this env var depending on the project we are working on because accidentally forgetting to undefine the variable could have the adverse effect of having our private credentials being injected into the config files and risk being committed to version control afterwards. This would be too risky and fragile to be considered a viable workaround.

0reactions

matteiuscommented, Aug 19, 2022

I believe this is resolvable now – but let me know if its still an issue on pipenv==2022.8.19

Top Results From Across the Web

Advanced Usage of Pipenv - Read the Docs

Dependencies of wheels provided in a Pipfile will not be captured by $ pipenv lock . There are some known issues with using...

pipenv Documentation - Read the Docs

PIPENV FEATURES Generates and checks file hashes for locked dependencies when installing from Pipfile. lock. Automatically install required Python version when ...

pipenv: why to run pipenv lock when lock file is automatically ...

$ pipenv lock is used to create a Pipfile.lock, which declares all dependencies (and sub-dependencies) of your project, their latest available ...

Pipenv - Easily Manage Packages and Virtual Environments

In this Python Programming Tutorial, we will be learning how to use Pipenv. Pipenv is a new package manager that combines pip and...

How to use pipenv in your python project - jcutrer.com

pipenv keeps all virtual environment files in ~/.virtualenvs ... pipenv keeps track of what's been installed in the file Pipfile.lock ...