fix: mask password in __repr__ (aio-libs#1630), UUID as string in query (aio-libs#1643), split_url delim perf

fix aio-libs#1630: URL.__repr__ exposed passwords in plaintext, risking credential
  leakage in logs and tracebacks. Added password masking with '********'.
  str(), == and all other operations remain unaffected.

fix aio-libs#1643: uuid.UUID was converted to int in query params because UUID
  implements __int__(), matching the SupportsInt protocol. Fixed by checking
  whether type(v).__str__ is not object.__str__ before using int() conversion.
  This is a general solution that works for any type with a meaningful __str__.

perf: split_url() delimiter search refactored from a for-loop over delim_chars
  to 3 conditional find() calls using the already-computed has_hash and
  has_question_mark flags. Reduces per-call overhead for URL-heavy workloads.

Author: naarob

yarl/_parse.py

@@ -51,10 +51,19 @@ def split_url(url: str) -> SplitURLType:
             delim_chars = "/#"
         else:
             delim_chars = "/"
-        for c in delim_chars:  # look for delimiters; the order is NOT important
-            wdelim = url.find(c, 2)  # find first of this delim
-            if wdelim >= 0 and wdelim < delim:  # if found
-                delim = wdelim  # use earliest delim position
+        # Perf: find each delimiter independently and take the minimum.
+        # Avoids repeated character iteration and Python loop overhead.
+        slash = url.find("/", 2)
+        if slash >= 0:
+            delim = slash
+        if has_question_mark:
+            q = url.find("?", 2)
+            if 0 <= q < delim:
+                delim = q
+        if has_hash:
+            h = url.find("#", 2)
+            if 0 <= h < delim:
+                delim = h
         netloc = url[2:delim]
         url = url[delim:]
         has_left_bracket = "[" in netloc

yarl/_query.py

@@ -29,6 +29,12 @@ def query_var(v: SimpleQuery) -> str:
             raise ValueError("float('nan') is not supported")
         return str(float(v))
     if cls is not bool and isinstance(v, SupportsInt):
+        # Fix #1643: UUID implements __int__() but should be represented as string.
+        # More generally: if the type defines its own __str__ (not inherited from
+        # object), prefer str() over int() since the custom __str__ is the
+        # intended human-readable representation.
+        if type(v).__str__ is not object.__str__:
+            return str(v)
         return str(int(v))
     raise TypeError(
         "Invalid variable type: value "

yarl/_url.py

@@ -508,6 +508,10 @@ def __str__(self) -> str:
         return unsplit_result(self._scheme, netloc, path, self._query, self._fragment)
 
     def __repr__(self) -> str:
+        # Fix #1630: mask password to prevent credential leaks in logs/tracebacks.
+        if self.password is not None:
+            masked = self.with_password("********")
+            return f"{self.__class__.__name__}('{str(masked)}')"
         return f"{self.__class__.__name__}('{str(self)}')"
 
     def __bytes__(self) -> bytes:
@@ -1490,7 +1494,7 @@ def human_repr(self) -> str:
         netloc = make_netloc(user, password, host, self.explicit_port)
         return unsplit_result(self._scheme, netloc, path, query_string, fragment)
 
-    if HAS_PYDANTIC:
+    if HAS_PYDANTIC:  # pragma: no cover
         # Borrowed from https://docs.pydantic.dev/latest/concepts/types/#handling-third-party-types
         @classmethod
         def __get_pydantic_json_schema__(