Skip to content

Remove embedded credentials from error message #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chrmarti merged 1 commit into from
Apr 9, 2026
+69 −1
Merged

Remove embedded credentials from error message #98

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion src/agent.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,10 +128,21 @@ export class PacProxyAgent extends Agent {
req.emit('proxy', { proxy, error: err });
}

throw new Error(`Failed to establish a socket connection to proxies: ${result}`);
throw new Error(`Failed to establish a socket connection to proxies: ${sanitizeProxyResultCredentials(result)}`);
}
}

/**
* Replaces credentials (userinfo) in proxy resolver result strings with a placeholder.
* E.g., "PROXY user:pass@host:8080" → "PROXY <credentials>@host:8080"
*/
export function sanitizeProxyResultCredentials(result: string | undefined): string {
if (!result) {
return '';
}
return String(result).replace(/(\b(?:PROXY|HTTPS?|SOCKS[45]?)\s+)[^\s@]+@/gi, '$1<credentials>@');
}

export function getProxyURLFromResolverResult(result: string | undefined) {
// Default to "DIRECT" if a falsey value was returned (or nothing)
if (!result) {
Expand Down
57 changes: 57 additions & 0 deletions tests/src/sanitizeProxyResultCredentials.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
import * as assert from 'assert';
import { sanitizeProxyResultCredentials } from '../../src/agent';

describe('sanitizeProxyResultCredentials', function () {
it('should replace user:pass with placeholder in PROXY target', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('PROXY testuser:testpass@host:8080'),
'PROXY <credentials>@host:8080'
);
});

it('should replace user:pass with special chars', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('PROXY jane.fictional%40corp.example.com:fictional123@proxy.fictional.example.com:8080'),
'PROXY <credentials>@proxy.fictional.example.com:8080'
);
});

it('should replace user-only (no password) with placeholder', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('PROXY fictional-user@proxy.fictional.example.com:3128'),
'PROXY <credentials>@proxy.fictional.example.com:3128'
);
});

it('should replace credentials from HTTPS proxy', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('HTTPS fictional-user:fictional-pass@proxy.fictional.example.com:8443'),
'HTTPS <credentials>@proxy.fictional.example.com:8443'
);
});

it('should not modify PROXY without credentials', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('PROXY proxy.fictional.example.com:8080'),
'PROXY proxy.fictional.example.com:8080'
);
});

it('should not modify DIRECT', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('DIRECT'),
'DIRECT'
);
});

it('should handle undefined', function () {
assert.strictEqual(sanitizeProxyResultCredentials(undefined), '');
});

it('should handle multiple proxies with semicolons', function () {
assert.strictEqual(
sanitizeProxyResultCredentials('PROXY testuser:testpass@host1:8080; PROXY host2:8080; DIRECT'),
'PROXY <credentials>@host1:8080; PROXY host2:8080; DIRECT'
);
});
});
Loading