feat: safely log url

Signed-off-by: Adam Setch <[email protected]>
CycloneDX · Oct 4, 2023 · 67dc171 · 67dc171
1 parent cf2d442
commit 67dc171
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/server.js b/server.js
@@ -8,6 +8,7 @@ import fs from "node:fs";
 import path from "node:path";
 import { createBom, submitBom } from "./index.js";
 import compression from "compression";
+import { URL } from "url";
 
 // Timeout milliseconds. Default 10 mins
 const TIMEOUT_MS =
@@ -24,10 +25,19 @@ app.use(
 app.use(compression());
 
 const gitClone = (repoUrl) => {
+  const parsedUrl = new URL(repoUrl);
+
+  const userInfo =
+    parsedUrl.username && parsedUrl.password
+      ? `${parsedUrl.username}:*****`
+      : parsedUrl.username || "";
+
+  const sanitizedRepoUrl = `${parsedUrl.protocol}//${userInfo}${parsedUrl.host}${parsedUrl.pathname}`;
+
   const tempDir = fs.mkdtempSync(
     path.join(os.tmpdir(), path.basename(repoUrl))
   );
-  console.log("Cloning", repoUrl, "to", tempDir);
+  console.log("Cloning", sanitizedRepoUrl, "to", tempDir);
   const result = spawnSync("git", ["clone", repoUrl, "--depth", "1", tempDir], {
     encoding: "utf-8",
     shell: false