Fix: some error URLs aren't sanitized (#3385)

gethomepage · Apr 30, 2024 · ea63716 · ea63716
1 parent daa51f9
commit ea63716
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/src/utils/proxy/api-helpers.js b/src/utils/proxy/api-helpers.js
@@ -57,7 +57,7 @@ export function jsonArrayFilter(data, filter) {
 export function sanitizeErrorURL(errorURL) {
   // Dont display sensitive params on frontend
   const url = new URL(errorURL);
-  ["apikey", "api_key", "token", "t", "access_token"].forEach((key) => {
+  ["apikey", "api_key", "token", "t", "access_token", "auth"].forEach((key) => {
     if (url.searchParams.has(key)) url.searchParams.set(key, "***");
   });
   return url.toString();

diff --git a/src/utils/proxy/http.js b/src/utils/proxy/http.js
@@ -5,6 +5,7 @@ import { createUnzip, constants as zlibConstants } from "node:zlib";
 import { http, https } from "follow-redirects";
 
 import { addCookieToJar, setCookieHeader } from "./cookie-jar";
+import { sanitizeErrorURL } from "./api-helpers";
 
 import createLogger from "utils/logger";
 
@@ -113,6 +114,11 @@ export async function httpProxy(url, params = {}) {
       constructedUrl.pathname,
     );
     if (err) logger.error(err);
-    return [500, "application/json", { error: { message: err?.message ?? "Unknown error", url, rawError: err } }, null];
+    return [
+      500,
+      "application/json",
+      { error: { message: err?.message ?? "Unknown error", url: sanitizeErrorURL(url), rawError: err } },
+      null,
+    ];
   }
 }