package-registry login has empty token

Question

package-registry login has empty token

pwallrich opened this issue 6 months ago · 0 comments

pwallrich commented 6 months ago

Is it reproducible with SwiftPM command-line tools: `swift build`, `swift test`, `swift package` etc?

Confirmed reproduction steps with SwiftPM CLI.

Description

When executing swift package-registry login it asks for a token but fails to retrieve it properly.

Screenshot from mitm proxy of the request:

I've checked the code a bit and it only happens on release builds. When spm is built with debug config it doesn't happen.

The issue seems to be related to readpassphrase inside PackageRegistryCommand+Auth.swift. Somehow the buffer and passwordPtr aren't valid anymore, when the string is created.

I also already fixed it locally and will submit a PR soon (not sure, if it's the best solution).

Expected behavior

It should get the token from the cli and use it for authentication

Actual behavior

It uses an empty string instead of the password.

I assume because of some memory management issues related to readpassphrase

Steps to reproduce

Build release version of SPM 5.10 or latest version from main
swift package-registry login {url}
authentication fails

Swift Package Manager version/commit hash

SPM 5.10 and latest from main

Swift & OS version (output of `swift --version ; uname -a`)

swift-driver version: 1.90.11.1 Apple Swift version 5.10 (swiftlang-5.10.0.13 clang-1500.3.9.4)
Target: arm64-apple-macosx14.0

Is it reproducible with SwiftPM command-line tools: swift build, swift test, swift package etc?