feat: safely log git url (#612)

* feat: safely log url Signed-off-by: Adam Setch <[email protected]> * feat: ensure tmp directory doesn't contain query params Signed-off-by: Adam Setch <[email protected]> * remove user info (username and hashed password) Signed-off-by: Adam Setch <[email protected]> --------- Signed-off-by: Adam Setch <[email protected]>
CycloneDX · Oct 4, 2023 · 45c2f28 · 45c2f28
1 parent cf2d442
commit 45c2f28
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/server.js b/server.js
@@ -8,6 +8,7 @@ import fs from "node:fs";
 import path from "node:path";
 import { createBom, submitBom } from "./index.js";
 import compression from "compression";
+import { URL } from "url";
 
 // Timeout milliseconds. Default 10 mins
 const TIMEOUT_MS =
@@ -24,10 +25,14 @@ app.use(
 app.use(compression());
 
 const gitClone = (repoUrl) => {
+  const parsedUrl = new URL(repoUrl);
+
+  const sanitizedRepoUrl = `${parsedUrl.protocol}//${parsedUrl.host}${parsedUrl.pathname}`;
+
   const tempDir = fs.mkdtempSync(
-    path.join(os.tmpdir(), path.basename(repoUrl))
+    path.join(os.tmpdir(), path.basename(parsedUrl.pathname))
   );
-  console.log("Cloning", repoUrl, "to", tempDir);
+  console.log("Cloning", sanitizedRepoUrl, "to", tempDir);
   const result = spawnSync("git", ["clone", repoUrl, "--depth", "1", tempDir], {
     encoding: "utf-8",
     shell: false