cycode 3.8.8.dev1__py3-none-any.whl → 3.8.9__py3-none-any.whl

cycode/__init__.py

@@ -1 +1 @@
-__version__ = '3.8.8.dev1'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag
+__version__ = '3.8.9'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

cycode/cli/apps/report/sbom/repository_url/repository_url_command.py

@@ -8,6 +8,10 @@ from cycode.cli.exceptions.handle_report_sbom_errors import handle_report_except
 from cycode.cli.utils.get_api_client import get_report_cycode_client
 from cycode.cli.utils.progress_bar import SbomReportProgressBarSection
 from cycode.cli.utils.sentry import add_breadcrumb
+from cycode.cli.utils.url_utils import sanitize_repository_url
+from cycode.logger import get_logger
+
+logger = get_logger('Repository URL Command')
 
 
 def repository_url_command(
@@ -28,8 +32,13 @@ def repository_url_command(
     start_scan_time = time.time()
     report_execution_id = -1
 
+    # Sanitize repository URL to remove any embedded credentials/tokens before sending to API
+    sanitized_uri = sanitize_repository_url(uri)
+    if sanitized_uri != uri:
+        logger.debug('Sanitized repository URL to remove credentials')
+
     try:
-        report_execution = client.request_sbom_report_execution(report_parameters, repository_url=uri)
+        report_execution = client.request_sbom_report_execution(report_parameters, repository_url=sanitized_uri)
         report_execution_id = report_execution.id
 
         create_sbom_report(progress_bar, client, report_execution_id, output_file, output_format)

cycode/cli/apps/scan/remote_url_resolver.py

@@ -3,6 +3,7 @@ from typing import Optional
 from cycode.cli import consts
 from cycode.cli.utils.git_proxy import git_proxy
 from cycode.cli.utils.shell_executor import shell
+from cycode.cli.utils.url_utils import sanitize_repository_url
 from cycode.logger import get_logger
 
 logger = get_logger('Remote URL Resolver')
@@ -102,7 +103,11 @@ def _try_get_git_remote_url(path: str) -> Optional[str]:
         repo = git_proxy.get_repo(path, search_parent_directories=True)
         remote_url = repo.remotes[0].config_reader.get('url')
         logger.debug('Found Git remote URL, %s', {'remote_url': remote_url, 'repo_path': repo.working_dir})
-        return remote_url
+        # Sanitize URL to remove any embedded credentials/tokens before returning
+        sanitized_url = sanitize_repository_url(remote_url)
+        if sanitized_url != remote_url:
+            logger.debug('Sanitized repository URL to remove credentials')
+        return sanitized_url
     except Exception as e:
         logger.debug('Failed to get Git remote URL. Probably not a Git repository', exc_info=e)
         return None
@@ -124,7 +129,9 @@ def get_remote_url_scan_parameter(paths: tuple[str, ...]) -> Optional[str]:
         #  - len(paths)*2 Plastic SCM subprocess calls
         remote_url = _try_get_any_remote_url(path)
         if remote_url:
-            remote_urls.add(remote_url)
+            # URLs are already sanitized in _try_get_git_remote_url, but sanitize again as safety measure
+            sanitized_url = sanitize_repository_url(remote_url)
+            remote_urls.add(sanitized_url)
 
     if len(remote_urls) == 1:
         # we are resolving remote_url only if all paths belong to the same repo (identical remote URLs),

cycode/cli/utils/url_utils.py

@@ -0,0 +1,64 @@
+from typing import Optional
+from urllib.parse import urlparse, urlunparse
+
+from cycode.logger import get_logger
+
+logger = get_logger('URL Utils')
+
+
+def sanitize_repository_url(url: Optional[str]) -> Optional[str]:
+    """Remove credentials (username, password, tokens) from repository URL.
+
+    This function sanitizes repository URLs to prevent sending PAT tokens or other
+    credentials to the API. It handles both HTTP/HTTPS URLs with embedded credentials
+    and SSH URLs (which are returned as-is since they don't contain credentials in the URL).
+
+    Args:
+        url: Repository URL that may contain credentials (e.g., https://token@github.com/user/repo.git)
+
+    Returns:
+        Sanitized URL without credentials (e.g., https://github.com/user/repo.git), or None if input is None
+
+    Examples:
+        >>> sanitize_repository_url('https://token@github.com/user/repo.git')
+        'https://github.com/user/repo.git'
+        >>> sanitize_repository_url('https://user:token@github.com/user/repo.git')
+        'https://github.com/user/repo.git'
+        >>> sanitize_repository_url('git@github.com:user/repo.git')
+        'git@github.com:user/repo.git'
+        >>> sanitize_repository_url(None)
+        None
+    """
+    if not url:
+        return url
+
+    # Handle SSH URLs - no credentials to remove
+    # ssh:// URLs have the format ssh://git@host/path
+    if url.startswith('ssh://'):
+        return url
+    # git@host:path format (scp-style)
+    if '@' in url and '://' not in url and url.startswith('git@'):
+        return url
+
+    try:
+        parsed = urlparse(url)
+        # Remove username and password from netloc
+        # Reconstruct URL without credentials
+        sanitized_netloc = parsed.hostname
+        if parsed.port:
+            sanitized_netloc = f'{sanitized_netloc}:{parsed.port}'
+
+        return urlunparse(
+            (
+                parsed.scheme,
+                sanitized_netloc,
+                parsed.path,
+                parsed.params,
+                parsed.query,
+                parsed.fragment,
+            )
+        )
+    except Exception as e:
+        logger.debug('Failed to sanitize repository URL, returning original, %s', {'url': url, 'error': str(e)})
+        # If parsing fails, return original URL to avoid breaking functionality
+        return url

cycode/cyclient/report_client.py

@@ -6,8 +6,12 @@ from requests import Response
 
 from cycode.cli.exceptions.custom_exceptions import CycodeError
 from cycode.cli.files_collector.models.in_memory_zip import InMemoryZip
+from cycode.cli.utils.url_utils import sanitize_repository_url
 from cycode.cyclient import models
 from cycode.cyclient.cycode_client_base import CycodeClientBase
+from cycode.logger import get_logger
+
+logger = get_logger('Report Client')
 
 
 @dataclasses.dataclass
@@ -49,7 +53,11 @@ class ReportClient:
         # entity type required only for zipped-file
         request_data = {'report_parameters': params.to_json(without_entity_type=zip_file is None)}
         if repository_url:
-            request_data['repository_url'] = repository_url
+            # Sanitize repository URL to remove any embedded credentials/tokens before sending to API
+            sanitized_url = sanitize_repository_url(repository_url)
+            if sanitized_url != repository_url:
+                logger.debug('Sanitized repository URL to remove credentials')
+            request_data['repository_url'] = sanitized_url
 
         request_args = {
             'url_path': url_path,

{cycode-3.8.8.dev1.dist-info → cycode-3.8.9.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cycode
-Version: 3.8.8.dev1
+Version: 3.8.9
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 License-Expression: MIT
 License-File: LICENCE

{cycode-3.8.8.dev1.dist-info → cycode-3.8.9.dist-info}/RECORD

@@ -1,4 +1,4 @@
-cycode/__init__.py,sha256=IbeAIXQ8zYtLhBZo-147Djq0Q27imvmk_BEILmTVxWY,114
+cycode/__init__.py,sha256=F3i3LbZj9g_0kdJeoKIrqojUc7ewqAylI2F_iZTTGEE,109
 cycode/__main__.py,sha256=Z3bD5yrA7yPvAChcADQrqCaZd0ChGI1gdiwALwbWJ6U,104
 cycode/cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/app.py,sha256=Th7skHthoJN1EuDtgjl4flflFqejfxaTORKmMKSXE00,6412
@@ -28,7 +28,7 @@ cycode/cli/apps/report/sbom/common.py,sha256=TefLoLxbxi4yDq6b-639udlGqfgLDznGGRw
 cycode/cli/apps/report/sbom/path/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/report/sbom/path/path_command.py,sha256=We_0ykbXILN_JreKH5ySK2SVfgh1hnpPeWB6jkDawpQ,3110
 cycode/cli/apps/report/sbom/repository_url/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cycode/cli/apps/report/sbom/repository_url/repository_url_command.py,sha256=VO4jSR748BEpCuOrAvOK4_rNLw63lO4iHCTfWkWdfMQ,2179
+cycode/cli/apps/report/sbom/repository_url/repository_url_command.py,sha256=euNULmXK1oVLLNZ_R2GUN2ESDsYswrpEph-bjnHxock,2580
 cycode/cli/apps/report/sbom/sbom_command.py,sha256=bykQnmO0CCNInkih6bGmCcq5HFH-ItkFHPoxz683HCc,2229
 cycode/cli/apps/report/sbom/sbom_report_file.py,sha256=uyaJRvmg1K4DvJaMppbCf6yCj6UU-NdvNg-ZVZk0jx4,1576
 cycode/cli/apps/report_import/__init__.py,sha256=T9KSL2TwQKQTNbck7JBlQAf7w8W3Q3VQLn_BCzVLWrA,424
@@ -50,7 +50,7 @@ cycode/cli/apps/scan/pre_push/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5N
 cycode/cli/apps/scan/pre_push/pre_push_command.py,sha256=Z0OJc3JDuI-pE1yLYYjuQh-kZhdZIExUPfaub73TZZE,2505
 cycode/cli/apps/scan/pre_receive/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/scan/pre_receive/pre_receive_command.py,sha256=PanKeThapAmxapjvZwGMgux6G4RzjUUPcxebb-qFRMM,2612
-cycode/cli/apps/scan/remote_url_resolver.py,sha256=EzHgV7XaJ3TedY35vDrFVGN7qjpaNl8lnYRNSRs3fvQ,5155
+cycode/cli/apps/scan/remote_url_resolver.py,sha256=JCjaAzDMxGFDT7twBpZzjgEHGwlaGIxWG_Y7DSehsb0,5651
 cycode/cli/apps/scan/repository/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cycode/cli/apps/scan/repository/repository_command.py,sha256=R1pNaxwuFI3Y7sisBp6PwCa-aCvCmPZoAKg5F1iwyCA,3432
 cycode/cli/apps/scan/scan_ci/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -145,6 +145,7 @@ cycode/cli/utils/sentry.py,sha256=hHWYtiGKD6vRi8S6Jx9hycs5JpJvGlkBImXZfWfWB1o,36
 cycode/cli/utils/shell_executor.py,sha256=CuHeXoYM6VaYtDernWtf49_s1EfuU8nWxj4MPIAciww,1290
 cycode/cli/utils/string_utils.py,sha256=jrZ5B7351hVEibHQzyrAqJJoP3R3jgpONNEw3wMAUVA,2032
 cycode/cli/utils/task_timer.py,sha256=wxfM2TtJGjc1F17CIja_Qmt6zd4a1qdMwuz0ltgTDAg,2722
+cycode/cli/utils/url_utils.py,sha256=2ZhRCbQsKnvAl5MBugQ5CrwuALP8uivsCI6chlqxahM,2304
 cycode/cli/utils/version_checker.py,sha256=0f5PaTk02ZkDxzBqZOeMV9mU_CWcx6HKW80jUKFOOZs,8239
 cycode/cli/utils/yaml_utils.py,sha256=R-tqzl0C-zoa42rS7nfWeHu3GJ0jpbQUyyqYYU2hleM,1818
 cycode/config.py,sha256=jHORGZQcAXkAGSf2XreC-RQoc8sdNWja69QKtPWTbWo,1044
@@ -163,12 +164,12 @@ cycode/cyclient/headers.py,sha256=5aLezpRDBzueH9T1hB_6VyUydRpTs3rN17CDDPn1BxI,14
 cycode/cyclient/import_sbom_client.py,sha256=M0RAn2dDh9woI3SUkgSHCQxhbARoLpyAM3amOausz8E,2749
 cycode/cyclient/logger.py,sha256=oTkay7QzoOIVQ71cGOy4ukkijYGA3IKJlHkL24Px5ds,70
 cycode/cyclient/models.py,sha256=U_37PROmaat5ehliH1YZ71iVecF7dPvXPTNOoj67Thg,15017
-cycode/cyclient/report_client.py,sha256=h12pz3vWCwDF73BhqFX7iDSxBgQDFwkiGh3hmul2nsM,3965
+cycode/cyclient/report_client.py,sha256=Scq30NeJPzgXv0hPLO1U05AdE9i_2iu6cIrSKpEJ-cM,4399
 cycode/cyclient/scan_client.py,sha256=uTBEjgfaCVuJREo73p_zkIVA23NQfdJ1d1-bzc7nSKk,12682
 cycode/cyclient/scan_config_base.py,sha256=mXsPZGYCtp85rv5GIige40yQZXuRcEKUW-VQJ0vgFzk,1201
 cycode/logger.py,sha256=xAzpkWLZhixO4egRcYn4HXM9lIfx5wHdpkHxNc5jrX8,2225
-cycode-3.8.8.dev1.dist-info/METADATA,sha256=40JQ3R0S6BNnD1bwd1xvnE1RHgDTCDQTOOaTlW9eGw8,79037
-cycode-3.8.8.dev1.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
-cycode-3.8.8.dev1.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
-cycode-3.8.8.dev1.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
-cycode-3.8.8.dev1.dist-info/RECORD,,
+cycode-3.8.9.dist-info/METADATA,sha256=s5uUTInVCjsaQLRho10cZNs0q479yaVY731EHgm3Rl4,79032
+cycode-3.8.9.dist-info/WHEEL,sha256=zp0Cn7JsFoX2ATtOhtaFYIiE2rmFAD4OcMhtUki8W3U,88
+cycode-3.8.9.dist-info/entry_points.txt,sha256=iDcVJM8ByLElVgvBgtYxDjw1kT7O8Mo0LcWZIT5L3Ig,45
+cycode-3.8.9.dist-info/licenses/LICENCE,sha256=2Wx4N6mD_4xB7-E3hPkZ3MPhpJy__k_I8MaCSO-PDRo,1068
+cycode-3.8.9.dist-info/RECORD,,