test: Add new test to check netrc auth leak

This patch adds a new test that reproduces the security issue reported
here:
https://seclists.org/oss-sec/2025/q2/204

Doing a request to a malicious url with a prefix like "domain.com:@"
will use the "domain.com" netrc credentials in the request to other
domain.

Author: danigm

tests/test_requests.py

@@ -7,6 +7,7 @@
 import os
 import pickle
 import re
+import tempfile
 import threading
 import warnings
 from unittest import mock
@@ -704,6 +705,35 @@ def get_netrc_auth_mock(url):
         finally:
             requests.sessions.get_netrc_auth = old_auth
 
+    def test_basicauth_with_netrc_leak(self, httpbin):
+        url1 = httpbin("basic-auth", "user", "pass")
+        url = url1[len("http://"):]
+        domain = url.split(":")[0]
+        url = f"http://example.com:@{url}"
+
+        netrc_file = tempfile.NamedTemporaryFile()
+        netrc_file.write(b"machine example.com\n")
+        netrc_file.write(b"login wronguser\n")
+        netrc_file.write(b"password wrongpass\n")
+        netrc_file.write(f"machine {domain}\n".encode("utf8"))
+        netrc_file.write(b"login user\n")
+        netrc_file.write(b"password pass\n")
+        netrc_file.seek(0)
+        netrc_file.read()
+
+        old_netrc = os.environ.get("NETRC", "")
+        os.environ["NETRC"] = netrc_file.name
+
+        try:
+            # Should use netrc
+            # Make sure that we don't use the example.com credentails
+            # for the request
+            r = requests.get(url)
+            assert r.status_code == 200
+        finally:
+            os.environ["NETRC"] = old_netrc
+            netrc_file.close()
+
     def test_DIGEST_HTTP_200_OK_GET(self, httpbin):
         for authtype in self.digest_auth_algo:
             auth = HTTPDigestAuth("user", "pass")