0

I'm using python's argparse module to get arguments from the command line and log in a website, for example: python app.py username password. However, I realized that some more complex passwords may include regular expressions such as '#' or '$', and the args.password will end up being either ignored or modified by the MacOS terminal: python app.py username #pa$$word.

 parser = argparse.ArgumentParser()
 parser.add_argument("username", help="website account username", type=str)
 parser.add_argument("password", help="website account password", type=str)
 args = parser.parse_args()

How can I avoid this behavior without having to hardcode these str arguments?

Improve this question
8
  • 2
    It is generally a bad idea to put passwords in argument lists anyway, because other processes (including run under other usernames) can inspect them via the ps command or equivalent. Commented Jun 19, 2020 at 18:15
  • What would be a better and safer alternative? Commented Jun 19, 2020 at 18:17
  • 1
    Usual strategies involve any of the following: (1) put them in a file (suitably protected) and pass the filename, (2) put them in an environment variable (can be inspected by other processes run as the same user but not other users), (3) interactive prompting Commented Jun 19, 2020 at 18:18
  • 1
    In any case, the original question is essentially a shell question rather than a python one. Any command line argument to the python process can be read by argparse, but certain strings might need quoting or escaping when invoking a command from the shell running in the terminal. But in view of the above, it is probably not an issue that needs to be solved directly. Commented Jun 19, 2020 at 18:23
  • Got it. Well, thanks for the help I will follow your advice. Commented Jun 19, 2020 at 18:24

1 Answer 1

Reset to default
2

You are not really talking about regular expressions.

Further the problem is not python, but your shell.

you had to call your script with

python app.py username '#pa$$word'

and sys.argv[2] will contain the password.

If you have a password containing a single quote ('), then you had to replace it with a triple single quote '\'' where the second ' is prefixed with a \

As others said already:

It is considered bad practice to pass passwords as command line arguments to a script as anybody being able to type ps on the same machine will see the password.

More common options are, that you

  • pass the name of a file containing the password and that this file has no read permission for group and others
  • pass the name of an environment variable containing the password or
  • pipe the password into your script via stdin.
  • prompt for a password. (normally you try to reconfigure the terminal such, that the password will not be displayed on the terminal)
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks, I opted for setting an environment variable but I was still struggling with cases that involved '$'. The triple single quote tip was helpful. However, I thought that the '#' from the '#pa$$word' example was causing the python script to ignore the variable, that's why I tagged the problem as a python question at the first moment.
if # is quoted on the shell it will not be ignored by the shell For python # is just a character if it is in a variable in a line read from a file Only in py source code # would be the start of a comment if not within a string. The biggest issue is often to get weird strings from the shell to your python script. I though for example, that the password A'#B"$C could be quoted in the shell as 'A\'#B"$C' and it took me some time to find out that I had to use 'A'''#B"$C'. If the password is stored in a file with strict read permissions you don't have these issues
correction: It's not ''' but '\'' you have to type to replace the single code. So in above comment: 'A'\''#B"$C' or alternatively, 'A'"'"'#B"$C' (but that's not really more beautiful)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.