Obfuscate credentials logged via FailedRequestException

itzg · itzg · commit ee4c2c0829a9 · 2025-06-20T20:20:07.000-05:00
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -6,3 +6,23 @@ Beyond the unit tests, ad hoc "integration testing" can be done by running via G
 ./gradlew run --args="assert fileExists build.gradle"
 ```
 
+### Using IntelliJ
+
+Create an "Application" run configuration, such as shown here:
+
+![intellij-run-config](docs/intellij-run-config.png)
+
+### Build and use application script
+
+Build and install the distribution script
+
+```shell
+./gradlew installDist
+```
+
+Run the script using:
+
+```shell
+./build/install/mc-image-helper/bin/mc-image-helper ...args...
+```
+
diff --git a/docs/intellij-run-config.png b/docs/intellij-run-config.png
diff --git a/src/main/java/me/itzg/helpers/http/FailedRequestException.java b/src/main/java/me/itzg/helpers/http/FailedRequestException.java
@@ -3,6 +3,7 @@
 import io.netty.handler.codec.http.HttpHeaders;
 import io.netty.handler.codec.http.HttpResponseStatus;
 import java.net.URI;
+import java.net.URISyntaxException;
 import lombok.Getter;
 import lombok.ToString;
 
@@ -19,14 +20,23 @@ public class FailedRequestException extends RuntimeException {
      */
     public FailedRequestException(HttpResponseStatus status, URI uri, String body, String msg, HttpHeaders headers) {
         super(
-            String.format("HTTP request of %s failed with %s: %s", uri, status, msg)
+            String.format("HTTP request of %s failed with %s: %s", obfuscate(uri), status, msg)
         );
         this.uri = uri;
         this.statusCode = status.code();
         this.body = body;
         this.headers = headers;
     }
 
+    public static String obfuscate(URI uri) {
+        try {
+            return new URI(uri.getScheme(), uri.getUserInfo() != null ? "*:*" : null, uri.getHost(), uri.getPort(), uri.getPath(), uri.getQuery(), uri.getFragment())
+                .toString();
+        } catch (URISyntaxException e) {
+            return "???";
+        }
+    }
+
     @SuppressWarnings("unused")
     public static boolean isNotFound(Throwable throwable) {
         return isStatus(throwable, HttpResponseStatus.NOT_FOUND);
diff --git a/src/test/java/me/itzg/helpers/http/FailedRequestExceptionTest.java b/src/test/java/me/itzg/helpers/http/FailedRequestExceptionTest.java
@@ -0,0 +1,21 @@
+package me.itzg.helpers.http;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.net.URI;
+import org.junit.jupiter.api.Test;
+
+class FailedRequestExceptionTest {
+
+    @Test
+    void obfuscate() {
+        assertThat(FailedRequestException.obfuscate(
+            URI.create("https://example.com/path?query=value")
+        ))
+            .isEqualTo("https://example.com/path?query=value");
+        assertThat(FailedRequestException.obfuscate(
+            URI.create("https://user:pass@example.com/path?query=value")
+        ))
+            .isEqualTo("https://*:*@example.com/path?query=value");
+    }
+}
