Skip to content

fix: ensure that tokens are not leaked when paths or uris of source files are logged#3821

Merged
johanneskoester merged 11 commits into
mainfrom
fix/cache-wrapper-files
Nov 4, 2025
Merged

fix: ensure that tokens are not leaked when paths or uris of source files are logged#3821
johanneskoester merged 11 commits into
mainfrom
fix/cache-wrapper-files

Conversation

@johanneskoester

@johanneskoester johanneskoester commented Oct 31, 2025
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Description

QC

  • The PR contains a test case for the changes or the changes are already covered by an existing test case.
  • The documentation (docs/) is updated to reflect the changes or this is not necessary (e.g. if the change does neither modify the language nor the behavior or functionalities of Snakemake).

Summary by CodeRabbit

  • Bug Fixes

    • Reduce leakage of sensitive tokens/credentials in logs, warnings and error messages across script execution, environment handling, report rendering, and source access.

  • Chores

    • Standardized path/URI resolution so displayed paths omit secrets when appropriate, improving privacy and consistency.
    • Improved remote-source handling and caching behavior for versioned references (affects retrieval and caching of remote resources).

@coderabbitai

coderabbitai Bot commented Oct 31, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR adds a secret_free: bool parameter to SourceFile.get_path_or_uri and propagates it through the SourceFile implementations and call sites, enabling callers to request either secret-free (redacted) or full (possibly secret-containing) URIs. Many call sites were updated to pass the appropriate flag for logging, error messages, internal ops, caching and containerization.

Changes

Cohort / File(s) Summary
Core source file infrastructure
src/snakemake/sourcecache.py		 Adds secret_free: bool argument to SourceFile.get_path_or_uri() and to all implementations (GenericSourceFile, LocalSourceFile, LocalGitFile, HostingProviderFile, GithubFile, GitlabFile). Updates __hash__, __eq__, __str__, join(), caching, open/error messages to use secret-aware resolution. Adds/adjusts return type annotations and Optional typing for hosting refs.
DAG and job execution
src/snakemake/dag.py, src/snakemake/jobs.py		 Switches local script/notebook and local path resolution to call get_path_or_uri(secret_free=True) where appropriate (affects path retrieval for existence/mtime checks and logging).
Deployment (Conda) and containerization
src/snakemake/deployment/conda.py, src/snakemake/deployment/containerize.py		 Replaces many get_path_or_uri() calls with explicit secret_free flags (True for external/log messages, False for internal operations). Adjusts how env/pin/post-deploy file URIs are derived and shown.
Parser and workflow initialization
src/snakemake/parser.py, src/snakemake/workflow.py		 Makes get_path_or_uri(secret_free=...) explicit in multiple locations: mostly secret_free=False for internal handling, secret_free=True where used for user-facing logs/messages.
Script execution
src/snakemake/script/__init__.py		 Updates preamble and script metadata path resolution calls to use secret_free (mostly True), preserving one explicit False where intended.
Wrapper and source caching logic
src/snakemake/wrapper.py		 Enhances get_path() typing and logic: recognizes version-like tags, returns GithubFile for versioned refs to enable persistent caching; calls script_source.get_path_or_uri(secret_free=False) when resolving script sources. Adds regex and Optional typing/imports.
Reporting and utilities
src/snakemake/report/__init__.py, src/snakemake/utils.py		 Uses get_path_or_uri(secret_free=True) for error/report messages and secret_free=False for internal $id/registry URI construction; updates caption/report error message path rendering.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant SourceFile
    Note over Caller,SourceFile: Two retrieval modes for paths/URIs

    rect rgb(220,240,255)
    Note over Caller: Internal operations (need secrets)
    Caller->>SourceFile: get_path_or_uri(secret_free=False)
    SourceFile-->>Caller: full_uri_with_tokens
    end

    rect rgb(255,240,220)
    Note over Caller: User-facing / logs / errors (redact)
    Caller->>SourceFile: get_path_or_uri(secret_free=True)
    SourceFile-->>Caller: redacted_uri_without_tokens
    end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

  • Pay particular attention to src/snakemake/sourcecache.py (core API change and propagation).
  • Verify each call site uses the correct secret_free semantics (True for logs/errors, False for internal/caching operations).
  • Review HostingProviderFile/GithubFile/GitlabFile token inclusion logic and wrapper caching behavior (version detection and GithubFile instantiation).

Possibly related PRs

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The PR description follows the template structure with "Description" and "QC" sections, and both QC checkboxes are properly marked as complete. However, the Description section is entirely empty except for the placeholder comment <!--Add a description of your PR here-->. This is a substantial pull request affecting 10+ files and introducing systematic changes to a core security mechanism (the secret_free parameter), yet no actual content describes what was changed, why it was changed, or how it addresses the issue. This represents a largely incomplete description despite the QC section being properly filled out.
Docstring Coverage ⚠️ Warning Docstring coverage is 11.25% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (1 passed)
Check name Status Explanation
Title Check ✅ Passed The PR title "fix: ensure that tokens are not leaked when paths or uris of source files are logged" directly aligns with the main objective of this changeset. The raw_summary shows that the PR systematically introduces a secret_free parameter across multiple files (sourcecache.py, dag.py, conda.py, containerize.py, jobs.py, parser.py, report/init.py, script/init.py, utils.py, workflow.py, and wrapper.py) to control whether sensitive data like tokens are included in path/URI outputs used for logging and error messages. The title accurately captures this core security fix without unnecessary details or vague language.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14e2c49 and 0df8e20.

📒 Files selected for processing (1)
  • src/snakemake/deployment/containerize.py (2 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Oct 31, 2025

Copy link
Copy Markdown
Contributor

Please format your code with pixi run format

coderabbitai[bot]
coderabbitai Bot reviewed Oct 31, 2025
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
src/snakemake/parser.py (1)

1355-1364: Prevent credential leak in error messages (use secret_free=True for display path)

The path stored in self.path is used in two contexts where it's exposed to users:

  • Line 178: embedded in SyntaxError tuples raised during parsing
  • Line 795: embedded in generated @workflow.rule() decorator strings

When using remote sources like Github or Gitlab, get_path_or_uri(secret_free=False) includes authentication tokens. This fix correctly uses secret_free=True for display purposes while preserving functionality—file operations continue using the original SourceFile object via workflow.sourcecache.open(path).

Apply the suggested fix to prevent token leakage.

src/snakemake/workflow.py (1)

1625-1660: Keep tokens out of compiled filenames

Using secret_free=False when registering and compiling a Snakefile injects any embedded credentials into co_filename. Those filenames surface in tracebacks, logging, and cache keys, so this change reintroduces the very token leakage this PR is trying to eliminate. Switch the bookkeeping to the redacted form while still retrieving the non‑redacted path on demand for actual I/O.

-        self._included[snakefile.get_path_or_uri(secret_free=False)] = snakefile
-        self.included_stack.append(snakefile)
-
-        default_target = self.default_target
-        linemap: Dict[int, int] = dict()
-        self.linemaps[snakefile.get_path_or_uri(secret_free=False)] = linemap
+        path_key = snakefile.get_path_or_uri(secret_free=True)
+        self._included[path_key] = snakefile
+        self.included_stack.append(snakefile)
+
+        default_target = self.default_target
+        linemap: Dict[int, int] = dict()
+        self.linemaps[path_key] = linemap
@@
-        exec(
-            compile(code, snakefile.get_path_or_uri(secret_free=False), "exec"),
+        exec(
+            compile(code, snakefile.get_path_or_uri(secret_free=True), "exec"),
             self.globals,
         )
🧹 Nitpick comments (1)
src/snakemake/sourcecache.py (1)

458-466: Correct dual usage of secret_free parameter!

The implementation perfectly demonstrates the intended usage pattern:

  • Line 458 uses secret_free=False to get the full authenticated URI for opening the file
  • Line 464 uses secret_free=True to exclude tokens from the error message

However, consider improving the exception chaining:

         try:
             return open(path_or_uri, mode, encoding=None if "b" in mode else encoding)
         except Exception as e:
-            raise WorkflowError(
-                f"Failed to open source file {source_file.get_path_or_uri(secret_free=True)}",
-                e,
-            )
+            raise WorkflowError(
+                f"Failed to open source file {source_file.get_path_or_uri(secret_free=True)}"
+            ) from e

This preserves the exception chain for better debugging while maintaining Python best practices.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 83c05cc and 14e2c49.

📒 Files selected for processing (11)
  • src/snakemake/dag.py (1 hunks)
  • src/snakemake/deployment/conda.py (10 hunks)
  • src/snakemake/deployment/containerize.py (2 hunks)
  • src/snakemake/jobs.py (1 hunks)
  • src/snakemake/parser.py (1 hunks)
  • src/snakemake/report/__init__.py (2 hunks)
  • src/snakemake/script/__init__.py (10 hunks)
  • src/snakemake/sourcecache.py (12 hunks)
  • src/snakemake/utils.py (3 hunks)
  • src/snakemake/workflow.py (6 hunks)
  • src/snakemake/wrapper.py (3 hunks)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.py

⚙️ CodeRabbit configuration file

**/*.py: Do not try to improve formatting.
Do not suggest type annotations for functions that are defined inside of functions or methods.
Do not suggest type annotation of the self argument of methods.
Do not suggest type annotation of the cls argument of classmethods.
Do not suggest return type annotation if a function or method does not contain a return statement.

Files:

  • src/snakemake/jobs.py
  • src/snakemake/dag.py
  • src/snakemake/deployment/containerize.py
  • src/snakemake/workflow.py
  • src/snakemake/wrapper.py
  • src/snakemake/report/__init__.py
  • src/snakemake/parser.py
  • src/snakemake/deployment/conda.py
  • src/snakemake/script/__init__.py
  • src/snakemake/utils.py
  • src/snakemake/sourcecache.py
**/wrapper.py

⚙️ CodeRabbit configuration file

Do not complain about use of undefined variable called snakemake.

Files:

  • src/snakemake/wrapper.py
🧠 Learnings (3)
📚 Learning: 2024-10-06T14:09:54.370Z 
Learnt from: johanneskoester
Repo: snakemake/snakemake PR: 3117
File: tests/test_wrapper/Snakefile:11-11
Timestamp: 2024-10-06T14:09:54.370Z
Learning: Changes made within test cases, such as in `tests/test_wrapper/Snakefile`, are for testing purposes and do not require updates to the project documentation.

Applied to files:

  • src/snakemake/workflow.py
  • src/snakemake/parser.py
  • src/snakemake/script/__init__.py
📚 Learning: 2025-09-17T04:03:59.943Z 
Learnt from: Hocnonsense
Repo: snakemake/snakemake PR: 3714
File: src/snakemake/modules.py:236-241
Timestamp: 2025-09-17T04:03:59.943Z
Learning: In Snakemake's WorkflowModifier, rule filtering via rule_whitelist and rule_exclude_list happens upstream during rule creation in the rule() decorator. The avail_rulename() method returns None for filtered-out rules, causing the entire rule creation to be skipped. This means child_modifier.rule_proxies only contains rules that passed the filtering, so inherit_rule_proxies doesn't need additional filtering logic.

Applied to files:

  • src/snakemake/workflow.py
📚 Learning: 2024-10-11T13:12:35.827Z 
Learnt from: johanneskoester
Repo: snakemake/snakemake PR: 3132
File: snakemake/deployment/conda.py:85-88
Timestamp: 2024-10-11T13:12:35.827Z
Learning: In the `snakemake/deployment/conda.py` file, within the `Env` class, validation of `env_dir` occurs later in the code, so it's unnecessary to validate `env_dir` in the `__init__` method.

Applied to files:

  • src/snakemake/deployment/conda.py
🧬 Code graph analysis (11)
src/snakemake/jobs.py (1)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/dag.py (1)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/deployment/containerize.py (1)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/workflow.py (1)
src/snakemake/sourcecache.py (13)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
  • get_basedir (56-58)
  • get_basedir (168-175)
  • get_basedir (256-264)
  • LocalSourceFile (111-141)
  • join (63-66)
  • join (158-166)
  • join (266-279)
src/snakemake/wrapper.py (2)
src/snakemake/script/__init__.py (1)
  • script (1700-1779)
src/snakemake/sourcecache.py (15)
  • GithubFile (286-298)
  • SourceCache (353-466)
  • infer_source_file (320-350)
  • get_path (391-393)
  • join (63-66)
  • join (158-166)
  • join (266-279)
  • ref (184-185)
  • ref (253-254)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/report/__init__.py (1)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/parser.py (1)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/deployment/conda.py (2)
src/snakemake/io/__init__.py (2)
  • file (457-464)
  • IOFile (235-237)
src/snakemake/sourcecache.py (6)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
src/snakemake/script/__init__.py (1)
src/snakemake/sourcecache.py (9)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
  • get_basedir (56-58)
  • get_basedir (168-175)
  • get_basedir (256-264)
src/snakemake/utils.py (2)
src/snakemake/workflow.py (2)
  • current_basedir (1541-1545)
  • sourcecache (500-501)
src/snakemake/sourcecache.py (10)
  • join (63-66)
  • join (158-166)
  • join (266-279)
  • get_path_or_uri (47-47)
  • get_path_or_uri (97-98)
  • get_path_or_uri (115-116)
  • get_path_or_uri (155-156)
  • get_path_or_uri (294-298)
  • get_path_or_uri (307-317)
  • open (378-382)
src/snakemake/sourcecache.py (1)
src/snakemake/common/__init__.py (2)
  • parse_uri (131-146)
  • smart_join (149-166)
🪛 Ruff (0.14.2)
src/snakemake/workflow.py

1656-1656: Use of exec detected

(S102)

src/snakemake/sourcecache.py

97-97: Unused method argument: secret_free

(ARG002)

115-115: Unused method argument: secret_free

(ARG002)

155-155: Unused method argument: secret_free

(ARG002)

462-462: Do not catch blind exception: Exception

(BLE001)

463-466: Within an except clause, raise exceptions with raise ... from err or raise ... from None to distinguish them from errors in exception handling

(B904)

463-466: Avoid specifying long messages outside the exception class

(TRY003)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (47)
  • GitHub Check: tests (10, ubuntu-latest, py313)
  • GitHub Check: tests (2, windows-2022, py313)
  • GitHub Check: tests (10, ubuntu-latest, py311)
  • GitHub Check: tests (10, windows-2022, py313)
  • GitHub Check: tests (8, ubuntu-latest, py313)
  • GitHub Check: tests (10, ubuntu-latest, py312)
  • GitHub Check: tests (9, ubuntu-latest, py311)
  • GitHub Check: tests (5, ubuntu-latest, py311)
  • GitHub Check: tests (9, ubuntu-latest, py312)
  • GitHub Check: tests (8, ubuntu-latest, py312)
  • GitHub Check: tests (8, windows-2022, py313)
  • GitHub Check: tests (8, macos-latest, py313)
  • GitHub Check: tests (9, windows-2022, py313)
  • GitHub Check: tests (7, ubuntu-latest, py311)
  • GitHub Check: tests (8, ubuntu-latest, py311)
  • GitHub Check: tests (7, windows-2022, py313)
  • GitHub Check: tests (6, ubuntu-latest, py312)
  • GitHub Check: tests (9, ubuntu-latest, py313)
  • GitHub Check: tests (7, ubuntu-latest, py312)
  • GitHub Check: tests (7, ubuntu-latest, py313)
  • GitHub Check: tests (6, windows-2022, py313)
  • GitHub Check: tests (6, ubuntu-latest, py311)
  • GitHub Check: tests (5, windows-2022, py313)
  • GitHub Check: tests (5, macos-latest, py313)
  • GitHub Check: tests (6, ubuntu-latest, py313)
  • GitHub Check: tests (5, ubuntu-latest, py312)
  • GitHub Check: tests (3, windows-2022, py313)
  • GitHub Check: tests (5, ubuntu-latest, py313)
  • GitHub Check: tests (4, ubuntu-latest, py312)
  • GitHub Check: tests (4, ubuntu-latest, py313)
  • GitHub Check: tests (4, windows-2022, py313)
  • GitHub Check: tests (4, ubuntu-latest, py311)
  • GitHub Check: tests (3, macos-latest, py313)
  • GitHub Check: tests (3, ubuntu-latest, py313)
  • GitHub Check: tests (2, ubuntu-latest, py311)
  • GitHub Check: tests (2, ubuntu-latest, py313)
  • GitHub Check: tests (2, ubuntu-latest, py312)
  • GitHub Check: tests (3, ubuntu-latest, py312)
  • GitHub Check: tests (3, ubuntu-latest, py311)
  • GitHub Check: tests (2, macos-latest, py313)
  • GitHub Check: tests (1, macos-latest, py313)
  • GitHub Check: tests (1, windows-2022, py313)
  • GitHub Check: tests (1, ubuntu-latest, py311)
  • GitHub Check: tests (1, ubuntu-latest, py313)
  • GitHub Check: tests (1, ubuntu-latest, py312)
  • GitHub Check: docs
  • GitHub Check: apidocs
🔇 Additional comments (11)
src/snakemake/dag.py (1)

3303-3306: Good: secret-free local path in sources listing

Using get_path_or_uri(secret_free=True) for LocalSourceFile in get_sources() avoids leaking secrets in archive/log contexts.

src/snakemake/jobs.py (1)

409-417: LGTM: secret-free local script path for mtime check

Using get_path_or_uri(secret_free=True) for LocalSourceFile keeps behavior while avoiding accidental token propagation if logged elsewhere.

src/snakemake/report/__init__.py (2)

431-436: Good: redact secrets in caption-load error

Using get_path_or_uri(secret_free=True) in the WorkflowError message prevents leaking tokens when a caption file fails to load.

736-740: Good: redact secrets in global report caption errors

The switch to secret_free=True for dag.workflow.report_text in error reporting avoids exposing tokens in report-generation errors.

src/snakemake/sourcecache.py (7)

45-90: Excellent implementation of the secret_free parameter in the base class!

The propagation of secret_free throughout the base class methods is correct:

  • Cache paths, hashing, equality checks, and string representations use secret_free=True to prevent token leakage
  • Operational methods like get_basedir() and join() use secret_free=False to preserve full paths for actual file operations

This ensures sensitive tokens are hidden in logs and user-facing output while remaining available for authentication during file access.

97-98: Unused secret_free parameter is acceptable here.

While static analysis flags the unused parameter, this is correct—GenericSourceFile serves as a fallback for arbitrary URIs that don't contain authentication tokens. The parameter must be present to satisfy the abstract interface contract.

115-116: Correct implementation for local files.

Local filesystem paths don't contain authentication tokens, so not using the secret_free parameter is appropriate. The parameter is required by the interface contract.

155-156: Appropriate handling for git+file:// protocol.

Local git repositories authenticate via SSH keys or system credentials rather than URL-embedded tokens, so the secret_free parameter doesn't need to affect the returned URI. The interface requirement is satisfied.

294-298: Perfect implementation of token redaction for GitHub files!

The conditional auth string correctly includes the token only when secret_free=False, ensuring:

  • Authenticated requests work properly when accessing files
  • Tokens are omitted from logs, error messages, and user-facing output

This is exactly the security behavior the PR aims to achieve.

307-317: Correct token redaction for GitLab files!

The implementation properly conditionally includes the private_token query parameter, matching the GitHub implementation pattern. Tokens are correctly hidden when secret_free=True.

325-325: Correct use of secret_free=True for path inference.

When converting an existing SourceFile to a string for re-inference, using secret_free=True ensures tokens aren't exposed in the derived path.

Comment thread src/snakemake/deployment/containerize.py
@johanneskoester johanneskoester merged commit a217e50 into main Nov 4, 2025
54 of 57 checks passed
@johanneskoester johanneskoester deleted the fix/cache-wrapper-files branch November 4, 2025 13:01
@snakemake-bot snakemake-bot mentioned this pull request Nov 4, 2025
Merged
johanneskoester pushed a commit that referenced this pull request Nov 4, 2025
@snakemake-bot
chore(main): release 9.13.5 (#3818)
9bad1c7 
🤖 I have created a release *beep* *boop*
---


##
[9.13.5](v9.13.4...v9.13.5)
(2025-11-04)


### Bug Fixes

* cache wrapper files and wait for them in case of shared filesystem for
sources ([#3809](#3809))
([498fff7](498fff7))
* correctly handle meta-wrapper tag replacement depending on the used
snakemake-wrapper release
([#3826](#3826))
([8d46a4a](8d46a4a))
* ensure that flags are properly considered for input files before
applying path modifiers (i.e. default storage providers)
([#3813](#3813))
([d3bfe32](d3bfe32))
* ensure that tokens are not leaked when paths or uris of source files
are logged ([#3821](#3821))
([a217e50](a217e50))
* print secs as numeric in jsonl benchmark format
([#3814](#3814))
([395a5e6](395a5e6))
* revert breaking change in 9.11.9 disallowing empty input files even
when unused
([#3810](#3810))
([83c05cc](83c05cc))
* shorten report ids (thus dir names) in order to avoid issues with path
length on windows
([#3822](#3822))
([b24d971](b24d971))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
kjohnsen pushed a commit to kjohnsen/snakemake that referenced this pull request Dec 15, 2025
@johanneskoester @kjohnsen
fix: ensure that tokens are not leaked when paths or uris of source f…
fc6c856 
…iles are logged (snakemake#3821)

### Description

<!--Add a description of your PR here-->

### QC
<!-- Make sure that you can tick the boxes below. -->

* [x] The PR contains a test case for the changes or the changes are
already covered by an existing test case.
* [x] The documentation (`docs/`) is updated to reflect the changes or
this is not necessary (e.g. if the change does neither modify the
language nor the behavior or functionalities of Snakemake).


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved security by preventing sensitive authentication credentials
from appearing in log messages and error outputs across script
execution, conda environment handling, report generation, and source
file processing.

* **Chores**
* Updated internal path resolution methods to consistently manage
credential exposure based on context.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
kjohnsen pushed a commit to kjohnsen/snakemake that referenced this pull request Dec 15, 2025
@snakemake-bot @kjohnsen
chore(main): release 9.13.5 (snakemake#3818)
55a75bd 
🤖 I have created a release *beep* *boop*
---


##
[9.13.5](snakemake/snakemake@v9.13.4...v9.13.5)
(2025-11-04)


### Bug Fixes

* cache wrapper files and wait for them in case of shared filesystem for
sources ([snakemake#3809](snakemake#3809))
([498fff7](snakemake@498fff7))
* correctly handle meta-wrapper tag replacement depending on the used
snakemake-wrapper release
([snakemake#3826](snakemake#3826))
([8d46a4a](snakemake@8d46a4a))
* ensure that flags are properly considered for input files before
applying path modifiers (i.e. default storage providers)
([snakemake#3813](snakemake#3813))
([d3bfe32](snakemake@d3bfe32))
* ensure that tokens are not leaked when paths or uris of source files
are logged ([snakemake#3821](snakemake#3821))
([a217e50](snakemake@a217e50))
* print secs as numeric in jsonl benchmark format
([snakemake#3814](snakemake#3814))
([395a5e6](snakemake@395a5e6))
* revert breaking change in 9.11.9 disallowing empty input files even
when unused
([snakemake#3810](snakemake#3810))
([83c05cc](snakemake@83c05cc))
* shorten report ids (thus dir names) in order to avoid issues with path
length on windows
([snakemake#3822](snakemake#3822))
([b24d971](snakemake@b24d971))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
@coderabbitai coderabbitai Bot mentioned this pull request Jan 7, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johanneskoester