diff options
author | Ethan Koenig <ethantkoenig@gmail.com> | 2017-12-03 17:48:03 -0800 |
---|---|---|
committer | Lauris BH <lauris@nix.lv> | 2017-12-04 03:48:03 +0200 |
commit | 3c1b1ca78e93fb464a5bb64aae9d845bc9f0b9c0 (patch) | |
tree | 8bdb041a1a0888a39b967006d20e1997c4b4fce4 /modules/util | |
parent | 5dc37b187c8b839a15ff73758799f218ddeb3bc9 (diff) | |
download | gitea-3c1b1ca78e93fb464a5bb64aae9d845bc9f0b9c0.tar.gz gitea-3c1b1ca78e93fb464a5bb64aae9d845bc9f0b9c0.zip |
Fix error message sanitiziation (#3082)
Diffstat (limited to 'modules/util')
-rw-r--r-- | modules/util/sanitize.go | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/modules/util/sanitize.go b/modules/util/sanitize.go new file mode 100644 index 0000000000..b1c17b29cf --- /dev/null +++ b/modules/util/sanitize.go @@ -0,0 +1,48 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package util + +import ( + "net/url" + "strings" +) + +// urlSafeError wraps an error whose message may contain a sensitive URL +type urlSafeError struct { + err error + unsanitizedURL string +} + +func (err urlSafeError) Error() string { + return SanitizeMessage(err.err.Error(), err.unsanitizedURL) +} + +// URLSanitizedError returns the sanitized version an error whose message may +// contain a sensitive URL +func URLSanitizedError(err error, unsanitizedURL string) error { + return urlSafeError{err: err, unsanitizedURL: unsanitizedURL} +} + +// SanitizeMessage sanitizes a message which may contains a sensitive URL +func SanitizeMessage(message, unsanitizedURL string) string { + sanitizedURL := SanitizeURLCredentials(unsanitizedURL, true) + return strings.Replace(message, unsanitizedURL, sanitizedURL, -1) +} + +// SanitizeURLCredentials sanitizes a url, either removing user credentials +// or replacing them with a placeholder. +func SanitizeURLCredentials(unsanitizedURL string, usePlaceholder bool) string { + u, err := url.Parse(unsanitizedURL) + if err != nil { + // don't log the error, since it might contain unsanitized URL. + return "(unparsable url)" + } + if u.User != nil && usePlaceholder { + u.User = url.User("<credentials>") + } else { + u.User = nil + } + return u.String() +} |