change: don’t send plaintext credentials even with debug_assertions

emilazy · emilazy · commit cc7608527eb5 · 2025-03-10T20:37:55.000Z
This should hopefully not be a breaking change, as the same code could
produce the same behaviour if compiled with different flags. However,
it’s possible some downstream test suites could be affected and
will need to opt in to the feature.
diff --git a/gix-transport/Cargo.toml b/gix-transport/Cargo.toml
@@ -47,6 +47,8 @@ http-client-reqwest-rust-tls-trust-dns = [
 ]
 ## Stacks with `blocking-http-transport-reqwest` and enables `https://` via the `native-tls` crate.
 http-client-reqwest-native-tls = ["http-client-reqwest", "reqwest/default-tls"]
+## Allows sending credentials over cleartext HTTP. For testing purposes only.
+http-client-insecure-credentials = []
 ## If set, an async implementations of the git transports becomes available in `crate::client`.
 ## Suitable for implementing your own transports while using git's way of communication, typically in conjunction with a custom server.
 ## **Note** that the _blocking_ client has a wide range of available transports, with the _async_ version of it supporting only the TCP based `git` transport leaving you
@@ -66,12 +68,12 @@ serde = ["dep:serde"]
 [[test]]
 name = "blocking-transport"
 path = "tests/blocking-transport.rs"
-required-features = ["blocking-client", "maybe-async/is_sync"]
+required-features = ["blocking-client", "http-client-insecure-credentials", "maybe-async/is_sync"]
 
 [[test]]
 name = "blocking-transport-http-only"
 path = "tests/blocking-transport-http.rs"
-required-features = ["http-client-curl", "maybe-async/is_sync"]
+required-features = ["http-client-curl", "http-client-insecure-credentials", "maybe-async/is_sync"]
 
 [[test]]
 name = "async-transport"
diff --git a/gix-transport/src/client/blocking_io/http/mod.rs b/gix-transport/src/client/blocking_io/http/mod.rs
@@ -297,7 +297,7 @@ impl<H: Http> Transport<H> {
     #[allow(clippy::unnecessary_wraps, unknown_lints)]
     fn add_basic_auth_if_present(&self, headers: &mut Vec<Cow<'_, str>>) -> Result<(), client::Error> {
         if let Some(gix_sec::identity::Account { username, password }) = &self.identity {
-            #[cfg(not(debug_assertions))]
+            #[cfg(not(feature = "http-client-insecure-credentials"))]
             if self.url.starts_with("http://") {
                 return Err(client::Error::AuthenticationRefused(
                     "Will not send credentials in clear text over http",
