Thanks a lot for the initiative, it's much appreciated.

My early feedback is that the URL parsing is probably prone to failures even though it should work for most URLs. To be save, one would probably catch parsing exceptions.
Maybe it would be easier to use an existing URL parser and/or serializer if one exists in the python standard library.

Thanks for the feedback! I've change the implementation to use urllib and handle parsing errors.

I'm still unable to make the test works on the CI despite the fact that it works locally. It seems that the failing command raise an assert which is not in my test. The problem is that I need the exception to be raise in order to check if the password is inside. Any clue on that?

Thanks for the update!

The failing test mentions the entire command-line, here it is:

 /usr/bin/git clone -v --progress ***fakerepo.example.com/testrepo /tmp/test_leaking_password_in_clone_logsam5xqh6q'

It looks like a replacement has happened even though I would expect an additional*, the password has been removed but it still seems to see the password in the error message. Sincefinalize_proc is only handed the processproc, this really only works if theargs list is editable. The latter might be the case in some python versions, but not in others.

Something you could try is to reassignproc.args entirely. If that works, I have a few more requests just to be very very safe 😅.

I track down every occurrence of the command line in the logs and it seems to be OK now. With this patch it will on every commands try to redact password out of the command line before logging it.

I just realize that we do not have a succesfull clone test and when I tried it manually it's not working because of the in-place replacement. I've to rework this.

Ok, I've change the in-place password replacement with a copy implementation which avoid side effects on the command line arguments. Also, I've added a successful git clone with a password from an empty project.

Thanks a lot, this looks so much better already, great work! It's particularly helpful to see more tests, as now there is one in particular for redacting passwords in command-lines. I bet this helped during development.

You're right! :)

Please excuse the use of the word 'nicer' in the line comments below, I simply lacked a more scientific explanation so I guess it comes down to 'taste'. This is not to be understood as judgement towards your code, it's just as correct and since it's Python you could make a point towards the current version being idiomatic and I would go with it.

No problem, I know that sometimes it's a matter of beauty ;)

Let's get this one to the finishing line :) horse_racing

Thanks a lot for all you feedback!! 🏁