Prevent credential leaks in exception messages

hyperized · hyperized · commit b65fab1b31cd · 2026-04-11T22:11:56.000+02:00
diff --git a/src/Exceptions/InvalidArgumentException.php b/src/Exceptions/InvalidArgumentException.php
@@ -8,7 +8,7 @@ class InvalidArgumentException extends \InvalidArgumentException
 {
     public static function apiFailed(GuzzleException $exception): InvalidArgumentException
     {
-        return new self('API call returned an invalid response: ' . $exception->getMessage() . '.');
+        return new self('API call failed: ' . $exception->getCode(), previous: $exception);
     }
 
     public static function configVariableNotAString(): InvalidArgumentException
diff --git a/tests/Unit/InvalidArgumentExceptionTest.php b/tests/Unit/InvalidArgumentExceptionTest.php
@@ -18,24 +18,21 @@ public function testApiFailedMessageFormat(): void
 
         $exception = InvalidArgumentException::apiFailed($guzzleException);
 
-        self::assertSame(
-            'API call returned an invalid response: Connection refused.',
-            $exception->getMessage()
-        );
+        self::assertSame('API call failed: 0', $exception->getMessage());
+        self::assertSame($guzzleException, $exception->getPrevious());
     }
 
-    public function testApiFailedPreservesExceptionMessage(): void
+    public function testApiFailedDoesNotExposeRequestDetails(): void
     {
         $guzzleException = new RequestException(
-            'Timeout exceeded',
-            new Request('POST', 'https://example.com')
+            'Error with https://secret.example.com/api?key=abc123',
+            new Request('POST', 'https://secret.example.com/api?key=abc123')
         );
 
         $exception = InvalidArgumentException::apiFailed($guzzleException);
 
-        self::assertStringStartsWith('API call returned an invalid response: ', $exception->getMessage());
-        self::assertStringEndsWith('.', $exception->getMessage());
-        self::assertStringContainsString('Timeout exceeded', $exception->getMessage());
+        self::assertStringNotContainsString('secret.example.com', $exception->getMessage());
+        self::assertStringNotContainsString('abc123', $exception->getMessage());
     }
 
     public function testConfigVariableNotAString(): void

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ class InvalidArgumentException extends \InvalidArgumentException`
`8`	`8`	`{`
`9`	`9`	`public static function apiFailed(GuzzleException $exception): InvalidArgumentException`
`10`	`10`	`{`
`11`		`- return new self('API call returned an invalid response: ' . $exception->getMessage() . '.');`
	`11`	`+ return new self('API call failed: ' . $exception->getCode(), previous: $exception);`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`public static function configVariableNotAString(): InvalidArgumentException`