Add RedactURL to prevent credential leakage in logs

bjornrobertsson · bjornrobertsson · commit 92783ef2ba2b · 2026-02-17T10:07:50.000Z
- Add RedactURL function that handles all common URL formats:
  - Standard URLs with userinfo (user:pass, token-only, user-only)
  - URL-encoded credentials (p%40ss%3Aw0rd)
  - SCP-like URLs with any user (git@, deploy@, token@)
  - Various schemes (http, https, ssh, git, ftp, sftp)
  - IPv6 hosts
- Uses net/url for scheme URLs (handles encoding automatically)
- Uses regex for SCP-style URLs
- Redact credentials from parent URL, submodule URL, and resolved URL logs
- Add comprehensive tests covering all credential patterns
diff --git a/git/git.go b/git/git.go
@@ -10,6 +10,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"regexp"
 	"strings"
 
 	"github.com/coder/envbuilder/internal/ebutil"
@@ -434,7 +435,43 @@ func ProgressWriter(write func(line string, args ...any)) io.WriteCloser {
 	}
 }
 
-// resolveSubmoduleURL resolves a potentially relative submodule URL against the parent repository URL
+// scpLikeURLRegex matches SCP-like URLs: user@host:path (where host is not empty and path doesn't start with /)
+// This handles: git@github.com:org/repo, deploy@host:repo, user@10.0.0.5:project
+var scpLikeURLRegex = regexp.MustCompile(`^([^@]+)@([^:]+):(.+)$`)
+
+// RedactURL redacts credentials from a URL for safe logging.
+// Handles:
+//   - Standard URLs with userinfo: https://user:pass@host, https://token@host
+//   - URL-encoded credentials: https://user:p%40ss@host
+//   - SCP-like URLs: git@host:path, deploy@host:path, user@10.0.0.5:path
+//   - Various schemes: http, https, ssh, git, ftp, sftp
+//   - IPv6 hosts: https://user@[2001:db8::1]/path
+func RedactURL(u string) string {
+	// First, try to parse as a standard URL (handles most schemes)
+	parsed, err := url.Parse(u)
+	if err == nil && parsed.Scheme != "" {
+		// Successfully parsed as a URL with a scheme
+		// Redact userinfo if present (handles user, user:pass, token, URL-encoded creds)
+		if parsed.User != nil {
+			parsed.User = url.User("***")
+		}
+		return parsed.String()
+	}
+
+	// Handle SCP-like URLs: user@host:path (no scheme)
+	// This catches: git@github.com:org/repo, deploy@host:repo, user@10.0.0.5:project
+	if matches := scpLikeURLRegex.FindStringSubmatch(u); matches != nil {
+		// matches[1] = user part (could be git, deploy, token, etc.)
+		// matches[2] = host
+		// matches[3] = path
+		return "***@" + matches[2] + ":" + matches[3]
+	}
+
+	// If we can't parse it and it's not SCP-like, return as-is
+	// (probably not a URL with credentials)
+	return u
+}
+
 // ResolveSubmoduleURL resolves a potentially relative submodule URL against a parent repository URL.
 func ResolveSubmoduleURL(parentURL, submoduleURL string) (string, error) {
 	// If the submodule URL is absolute (contains ://) or doesn't start with ./ or ../, return it as-is
@@ -521,13 +558,13 @@ func initSubmodules(ctx context.Context, logf func(string, ...any), repo *git.Re
 	if origin, hasOrigin := cfg.Remotes["origin"]; hasOrigin && len(origin.URLs) > 0 {
 		parentURL = origin.URLs[0]
 	}
-	logf("Parent repository URL: %s", parentURL)
+	logf("Parent repository URL: %s", RedactURL(parentURL))
 
 	for _, sub := range subs {
 		subConfig := sub.Config()
 		logf("📦 Initializing submodule: %s", subConfig.Name)
 		logf("  Submodule path: %s", subConfig.Path)
-		logf("  Submodule URL (from .gitmodules): %s", subConfig.URL)
+		logf("  Submodule URL (from .gitmodules): %s", RedactURL(subConfig.URL))
 
 		// Get the expected commit hash
 		subStatus, err := sub.Status()
@@ -541,7 +578,7 @@ func initSubmodules(ctx context.Context, logf func(string, ...any), repo *git.Re
 		if err != nil {
 			return fmt.Errorf("resolve submodule URL for %q: %w", subConfig.Name, err)
 		}
-		logf("  Resolved URL: %s", resolvedURL)
+		logf("  Resolved URL: %s", RedactURL(resolvedURL))
 
 		// Clone the submodule manually
 		err = cloneSubmodule(ctx, logf, w, subConfig, subStatus.Expected, resolvedURL, opts)
@@ -619,7 +656,7 @@ func cloneSubmodule(ctx context.Context, logf func(string, ...any), parentWorktr
 	}
 
 	// Clone the submodule
-	logf("  Cloning submodule from: %s", resolvedURL)
+	logf("  Cloning submodule from: %s", RedactURL(resolvedURL))
 
 	// Create .git directory for the submodule
 	err = subFS.MkdirAll(".git", 0o755)
diff --git a/git/git_test.go b/git/git_test.go
@@ -533,6 +533,153 @@ func mustRead(t *testing.T, fs billy.Filesystem, path string) string {
 	return string(content)
 }
 
+func TestRedactURL(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name   string
+		input  string
+		expect string
+	}{
+		// Standard URLs without credentials
+		{
+			name:   "https no creds",
+			input:  "https://github.com/org/repo.git",
+			expect: "https://github.com/org/repo.git",
+		},
+		{
+			name:   "git protocol no creds",
+			input:  "git://github.com/org/repo.git",
+			expect: "git://github.com/org/repo.git",
+		},
+
+		// HTTPS with various credential formats
+		{
+			name:   "https with user and password",
+			input:  "https://user:password@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+		{
+			name:   "https with token only (no password)",
+			input:  "https://ghp_xxxxxxxxxxxx@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+		{
+			name:   "https with user only (no password)",
+			input:  "https://user@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+		{
+			name:   "https with x-access-token",
+			input:  "https://x-access-token:ghp_secret123@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+
+		// URL-encoded credentials
+		{
+			name:   "https with URL-encoded password",
+			input:  "https://user:p%40ss%3Aw0rd@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+		{
+			name:   "https with URL-encoded username",
+			input:  "https://user%40domain:pass@github.com/org/repo.git",
+			expect: "https://***@github.com/org/repo.git",
+		},
+
+		// HTTP
+		{
+			name:   "http with creds",
+			input:  "http://user:pass@example.com/repo.git",
+			expect: "http://***@example.com/repo.git",
+		},
+
+		// SSH URLs (with scheme)
+		{
+			name:   "ssh with user",
+			input:  "ssh://git@github.com/org/repo.git",
+			expect: "ssh://***@github.com/org/repo.git",
+		},
+		{
+			name:   "ssh with different user",
+			input:  "ssh://deploy@github.com/org/repo.git",
+			expect: "ssh://***@github.com/org/repo.git",
+		},
+
+		// SCP-like URLs (no scheme)
+		{
+			name:   "scp-like git user",
+			input:  "git@github.com:org/repo.git",
+			expect: "***@github.com:org/repo.git",
+		},
+		{
+			name:   "scp-like deploy user",
+			input:  "deploy@host:repo.git",
+			expect: "***@host:repo.git",
+		},
+		{
+			name:   "scp-like with IP address",
+			input:  "user@10.0.0.5:project.git",
+			expect: "***@10.0.0.5:project.git",
+		},
+		{
+			name:   "scp-like with token as user",
+			input:  "oauth2:ghp_secret@gitlab.com:org/repo.git",
+			expect: "***@gitlab.com:org/repo.git",
+		},
+
+		// IPv6 hosts
+		{
+			name:   "https with IPv6 and creds",
+			input:  "https://user:pass@[2001:db8::1]/path/repo.git",
+			expect: "https://***@[2001:db8::1]/path/repo.git",
+		},
+		{
+			name:   "https with IPv6 no creds",
+			input:  "https://[2001:db8::1]/path/repo.git",
+			expect: "https://[2001:db8::1]/path/repo.git",
+		},
+
+		// Other schemes
+		{
+			name:   "ftp with creds",
+			input:  "ftp://user:pass@host/path",
+			expect: "ftp://***@host/path",
+		},
+		{
+			name:   "sftp with user only",
+			input:  "sftp://user@host/path",
+			expect: "sftp://***@host/path",
+		},
+
+		// Edge cases
+		{
+			name:   "plain path (not a URL)",
+			input:  "/local/path/to/repo",
+			expect: "/local/path/to/repo",
+		},
+		{
+			name:   "relative path",
+			input:  "../sibling/repo.git",
+			expect: "../sibling/repo.git",
+		},
+		{
+			name:   "file URL",
+			input:  "file:///local/repo.git",
+			expect: "file:///local/repo.git",
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := git.RedactURL(tc.input)
+			require.Equal(t, tc.expect, got)
+		})
+	}
+}
+
 func TestResolveSubmoduleURL(t *testing.T) {
 	t.Parallel()
 
