From f5f9fe41c1c79a7cd3b4ec3e6417f913c5657f84 Mon Sep 17 00:00:00 2001
From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com>
Date: Sun, 17 May 2026 00:28:53 +0000
Subject: [PATCH] [Security] Harden URL sanitization

This PR enhances `sanitizeURL` to redact passwords from the URL authority and includes more sensitive query parameters (like `code_verifier`, `password`, and `assertion`) in the redaction list. This reduces the risk of sensitive credentials being leaked in debug logs or error messages.

### How to test your changes?

CI. (Internal utility `sanitizeURL` is now verified by expanded unit tests).
---
 .../cli-kit/src/private/node/api/urls.test.ts | 27 +++++++++++++++++++
 packages/cli-kit/src/private/node/api/urls.ts | 10 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/packages/cli-kit/src/private/node/api/urls.test.ts b/packages/cli-kit/src/private/node/api/urls.test.ts
index 62492fb2eb7..c23e2181973 100644
--- a/packages/cli-kit/src/private/node/api/urls.test.ts
+++ b/packages/cli-kit/src/private/node/api/urls.test.ts
@@ -56,6 +56,11 @@ describe('sanitizeURL', () => {
     'client_secret',
     'code',
     'token',
+    'password',
+    'code_verifier',
+    'client_assertion',
+    'assertion',
+    'auth_token',
   ])('sanitizes %s query parameter', (param) => {
     // Given
     const url = `https://example.com?${param}=secret-value`
@@ -79,4 +84,26 @@ describe('sanitizeURL', () => {
       'https://example.com/?access_token=****&refresh_token=****&device_code=****&subject_token=****&other=keep',
     )
   })
+
+  test('redacts password from URL authority', () => {
+    // Given
+    const url = 'https://user:password123@example.com/path'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://user:****@example.com/path')
+  })
+
+  test('redacts both password and sensitive query parameters', () => {
+    // Given
+    const url = 'https://user:secret@example.com/path?access_token=tok&other=keep'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://user:****@example.com/path?access_token=****&other=keep')
+  })
 })
diff --git a/packages/cli-kit/src/private/node/api/urls.ts b/packages/cli-kit/src/private/node/api/urls.ts
index fd1297f7c58..ffa54550cf8 100644
--- a/packages/cli-kit/src/private/node/api/urls.ts
+++ b/packages/cli-kit/src/private/node/api/urls.ts
@@ -12,11 +12,16 @@ const SENSITIVE_QUERY_PARAMS = [
   'client_secret',
   'code',
   'token',
+  'password',
+  'code_verifier',
+  'client_assertion',
+  'assertion',
+  'auth_token',
 ]
 
 /**
  * Removes the sensitive data from the url and outputs them as a string.
- * @param url - HTTP headers.
+ * @param url - The URL to sanitize.
  * @returns A sanitized version of the url as a string.
  */
 export function sanitizeURL(url: string): string {
@@ -26,5 +31,8 @@ export function sanitizeURL(url: string): string {
       parsedUrl.searchParams.set(param, '****')
     }
   }
+  if (parsedUrl.password) {
+    parsedUrl.password = '****'
+  }
   return parsedUrl.toString()
 }