[Security] Harden URL sanitization

packages/cli-kit/src/private/node/api/urls.test.ts

@@ -56,6 +56,11 @@ describe('sanitizeURL', () => {
     'client_secret',
     'code',
     'token',
+    'password',
+    'code_verifier',
+    'client_assertion',
+    'assertion',
+    'auth_token',
   ])('sanitizes %s query parameter', (param) => {
     // Given
     const url = `https://example.com?${param}=secret-value`
@@ -79,4 +84,26 @@ describe('sanitizeURL', () => {
       'https://example.com/?access_token=****&refresh_token=****&device_code=****&subject_token=****&other=keep',
     )
   })
+
+  test('redacts password from URL authority', () => {
+    // Given
+    const url = 'https://user:password123@example.com/path'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://user:****@example.com/path')
+  })
+
+  test('redacts both password and sensitive query parameters', () => {
+    // Given
+    const url = 'https://user:secret@example.com/path?access_token=tok&other=keep'
+
+    // When
+    const sanitizedUrl = sanitizeURL(url)
+
+    // Then
+    expect(sanitizedUrl).toBe('https://user:****@example.com/path?access_token=****&other=keep')
+  })
 })

packages/cli-kit/src/private/node/api/urls.ts

@@ -12,11 +12,16 @@ const SENSITIVE_QUERY_PARAMS = [
   'client_secret',
   'code',
   'token',
+  'password',
+  'code_verifier',
+  'client_assertion',
+  'assertion',
+  'auth_token',
 ]
 
 /**
  * Removes the sensitive data from the url and outputs them as a string.
- * @param url - HTTP headers.
+ * @param url - The URL to sanitize.
  * @returns A sanitized version of the url as a string.
  */
 export function sanitizeURL(url: string): string {
@@ -26,5 +31,8 @@ export function sanitizeURL(url: string): string {
       parsedUrl.searchParams.set(param, '****')
     }
   }
+  if (parsedUrl.password) {
+    parsedUrl.password = '****'
+  }
   return parsedUrl.toString()
 }