Fix infinite loop in redact_api_key when string has multiple api_key params

ilyazub · ilyazub · commit d203a27b4d18 · 2026-03-25T21:07:51.000+01:00
After replacing a value with [REDACTED], the search offset must advance
past the replacement. Without this, out.find("api_key=") re-finds the
same position on every iteration and loops forever.

Also adds five unit tests covering: no-op, single, multiple occurrences,
end-of-string, and already-redacted inputs.
diff --git a/src/error.rs b/src/error.rs
@@ -19,13 +19,17 @@ fn redact_api_key(s: &str) -> std::borrow::Cow<'_, str> {
         return std::borrow::Cow::Borrowed(s);
     }
     let mut out = s.to_string();
-    while let Some(pos) = out.find("api_key=") {
+    let mut search_from = 0;
+    while let Some(rel) = out[search_from..].find("api_key=") {
+        let pos = search_from + rel;
         let value_start = pos + "api_key=".len();
         let value_end = out[value_start..]
             .find(['&', ' ', ')', '"', '\''])
             .map(|i| value_start + i)
             .unwrap_or(out.len());
         out.replace_range(value_start..value_end, "[REDACTED]");
+        // Advance past "api_key=[REDACTED]" so we don't re-examine it.
+        search_from = value_start + "[REDACTED]".len();
     }
     std::borrow::Cow::Owned(out)
 }
@@ -60,3 +64,49 @@ pub fn exit_code(err: &CliError) -> i32 {
         CliError::NetworkError { .. } => 1,
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_redact_no_api_key_is_noop() {
+        let s = "some error without credentials";
+        assert!(matches!(redact_api_key(s), std::borrow::Cow::Borrowed(_)));
+    }
+
+    #[test]
+    fn test_redact_single_occurrence() {
+        let s = "https://serpapi.com/search.json?q=coffee&api_key=supersecret&engine=google";
+        let result = redact_api_key(s);
+        assert!(result.contains("api_key=[REDACTED]"));
+        assert!(!result.contains("supersecret"));
+    }
+
+    #[test]
+    fn test_redact_multiple_occurrences_no_infinite_loop() {
+        // Two api_key params (e.g. malformed URL); must terminate and redact both.
+        let s = "api_key=first&other=x&api_key=second";
+        let result = redact_api_key(s);
+        assert!(result.contains("api_key=[REDACTED]"));
+        assert!(!result.contains("first"));
+        assert!(!result.contains("second"));
+        // Both occurrences replaced
+        assert_eq!(result.matches("[REDACTED]").count(), 2);
+    }
+
+    #[test]
+    fn test_redact_at_end_of_string() {
+        let s = "request failed: api_key=abc123";
+        let result = redact_api_key(s);
+        assert_eq!(result, "request failed: api_key=[REDACTED]");
+    }
+
+    #[test]
+    fn test_redact_already_redacted_does_not_loop() {
+        // If somehow called twice, [REDACTED] contains no secret and loop terminates.
+        let s = "api_key=[REDACTED]";
+        let result = redact_api_key(s);
+        assert_eq!(result.as_ref(), "api_key=[REDACTED]");
+    }
+}
