Skip to content

Commit f6bd417

Browse files
dduzgun-securitydduzgun-security
authored
fix: url redact of multiple sshkey (#528)
* fix: url redact of multiple sshkey * clean unrequired reassignment and add more tests
1 parent 1fc83f9 commit f6bd417

File tree

2 files changed

+52
-4
lines changed

2 files changed

+52
-4
lines changed

url.go

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,8 @@ import "net/url"
99
// which is like url.String but replaces any password with "redacted".
1010
// Only the password in u.URL is redacted. This allows the library
1111
// to maintain compatibility with go1.14.
12-
// This port was also extended to redact SSH key from URL query parameter.
12+
// This port was also extended to redact all "sshkey" from URL query parameter
13+
// and replace them with "redacted".
1314
func RedactURL(u *url.URL) string {
1415
if u == nil {
1516
return ""
@@ -20,8 +21,11 @@ func RedactURL(u *url.URL) string {
2021
ru.User = url.UserPassword(ru.User.Username(), "redacted")
2122
}
2223
q := ru.Query()
23-
if q.Get("sshkey") != "" {
24-
q.Set("sshkey", "redacted")
24+
if q.Has("sshkey") {
25+
values := q["sshkey"]
26+
for i := range values {
27+
values[i] = "redacted"
28+
}
2529
ru.RawQuery = q.Encode()
2630
}
2731
return ru.String()

url_test.go

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,51 @@ func TestRedactURL(t *testing.T) {
8383
Path: "hashicorp/go-getter-test-private.git",
8484
RawQuery: "sshkey=",
8585
},
86-
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=",
86+
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=redacted",
87+
},
88+
{
89+
name: "multiple SSH keys with no and non-empty values",
90+
url: &url.URL{
91+
Scheme: "ssh",
92+
User: url.User("git"),
93+
Host: "github.com",
94+
Path: "hashicorp/go-getter-test-private.git",
95+
RawQuery: "sshkey&sshkey=secretkey",
96+
},
97+
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=redacted&sshkey=redacted",
98+
},
99+
{
100+
name: "multiple SSH keys with all empty values",
101+
url: &url.URL{
102+
Scheme: "ssh",
103+
User: url.User("git"),
104+
Host: "github.com",
105+
Path: "hashicorp/go-getter-test-private.git",
106+
RawQuery: "sshkey&sshkey",
107+
},
108+
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=redacted&sshkey=redacted",
109+
},
110+
{
111+
name: "multiple SSH keys with mixed empty and blank values",
112+
url: &url.URL{
113+
Scheme: "ssh",
114+
User: url.User("git"),
115+
Host: "github.com",
116+
Path: "hashicorp/go-getter-test-private.git",
117+
RawQuery: "sshkey=&sshkey=secretkey",
118+
},
119+
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=redacted&sshkey=redacted",
120+
},
121+
{
122+
name: "multiple SSH keys in URL query parameter",
123+
url: &url.URL{
124+
Scheme: "ssh",
125+
User: url.User("git"),
126+
Host: "github.com",
127+
Path: "hashicorp/go-getter-test-private.git",
128+
RawQuery: "sshkey=secretkey1&sshkey=secretkey2",
129+
},
130+
want: "ssh://[email protected]/hashicorp/go-getter-test-private.git?sshkey=redacted&sshkey=redacted",
87131
},
88132
}
89133

0 commit comments

Comments
 (0)