Redact URL-encoded characters in userinfo of URLs

clayburn · clayburn · commit c2bf66820812 · 2025-06-05T12:17:26.000-05:00
diff --git a/src/main/java/com/gradle/CustomBuildScanEnhancements.java b/src/main/java/com/gradle/CustomBuildScanEnhancements.java
@@ -421,7 +421,7 @@ public void execute(BuildScanAdapter buildScan) {
             String gitStatus = execAndGetStdOut("git", "status", "--porcelain");
 
             if (isNotEmpty(gitRepo)) {
-                buildScan.value("Git repository", redactUserInfo(gitRepo));
+                redactUserInfo(gitRepo).ifPresent(redactedGitRepo -> buildScan.value("Git repository", redactedGitRepo));
             }
             if (isNotEmpty(gitCommitId)) {
                 buildScan.value("Git commit id", gitCommitId);
diff --git a/src/main/java/com/gradle/Utils.java b/src/main/java/com/gradle/Utils.java
@@ -94,14 +94,24 @@ static String urlEncode(String str) {
         }
     }
 
-    static String redactUserInfo(String url) {
+    static Optional<String> redactUserInfo(String url) {
+        if (!url.startsWith("http")) {
+            return Optional.of(url);
+        }
+
         try {
-            String userInfo = new URI(url).getUserInfo();
-            return userInfo == null
-                ? url
-                : url.replace(userInfo + '@', "******@");
+            URI uri = new URI(url);
+            URI redactedUri = new URI(
+                    uri.getScheme(),
+                    uri.getUserInfo() == null || uri.getUserInfo().isEmpty() ? null : "******",
+                    uri.getHost(),
+                    uri.getPort(),
+                    uri.getRawPath(),
+                    uri.getRawQuery(),
+                    uri.getRawFragment());
+            return Optional.of(redactedUri.toString());
         } catch (URISyntaxException e) {
-            return url;
+            return Optional.empty();
         }
     }
 
diff --git a/src/test/java/com/gradle/UtilsTest.java b/src/test/java/com/gradle/UtilsTest.java
@@ -7,6 +7,8 @@
 import org.junit.jupiter.params.provider.ArgumentsSource;
 
 import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -31,6 +33,12 @@ public void testToWebRepoUri_enterpriseUri(String repositoryHost, String reposit
         assertEquals(Optional.of(expectedWebRepoUri), toWebRepoUri(String.format(repositoryUri, repositoryHost)));
     }
 
+    @ParameterizedTest
+    @ArgumentsSource(UserInfoArgumentsProvider.class)
+    public void testUserInfoRedacted(String inputUrl, String expectedRedactedUrl) {
+        assertEquals(expectedRedactedUrl, Utils.redactUserInfo(inputUrl).orElse(null));
+    }
+
     private static class WebRepoUriArgumentsProvider implements ArgumentsProvider {
 
         @Override
@@ -40,6 +48,8 @@ public Stream<? extends Arguments> provideArguments(ExtensionContext context) {
                     "https://%s.com/acme-inc/my-project",
                     "https://%s.com:443/acme-inc/my-project",
                     "https://user:secret@%s.com/acme-inc/my-project",
+                    "https://user:secret%%1Fpassword@%s.com/acme-inc/my-project",
+                    "https://user:secret%%1password@%s.com/acme-inc/my-project",
                     "ssh://git@%s.com/acme-inc/my-project.git",
                     "ssh://git@%s.com:22/acme-inc/my-project.git",
                     "git://%s.com/acme-inc/my-project.git",
@@ -61,4 +71,20 @@ public Stream<? extends Arguments> provideArguments(ExtensionContext context) {
             return host.stream().flatMap(h -> remoteRepositoryUris.stream().map(r -> Arguments.arguments(h, r)));
         }
     }
+
+    private static class UserInfoArgumentsProvider implements ArgumentsProvider {
+
+        @Override
+        public Stream<? extends Arguments> provideArguments(ExtensionContext context) {
+            Map<String, String> cases = new HashMap<>();
+            cases.put("https://user:password@acme.com/acme-inc/my-project", "https://******@acme.com/acme-inc/my-project");
+            cases.put("https://user%1Fname:password@acme.com/acme-inc/my-project", "https://******@acme.com/acme-inc/my-project");
+            cases.put("https://user:secret%1Fpassword@acme.com/acme-inc/my-project", "https://******@acme.com/acme-inc/my-project");
+            cases.put("https://user:secret%1password@acme.com/acme-inc/my-project", null);
+            cases.put("git@github.com:gradle/common-custom-user-data-gradle-plugin.git", "git@github.com:gradle/common-custom-user-data-gradle-plugin.git");
+
+            return cases.entrySet().stream()
+                    .map(entry -> Arguments.arguments(entry.getKey(), entry.getValue()));
+        }
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -421,7 +421,7 @@ public void execute(BuildScanAdapter buildScan) {`
`421`	`421`	`String gitStatus = execAndGetStdOut("git", "status", "--porcelain");`
`422`	`422`
`423`	`423`	`if (isNotEmpty(gitRepo)) {`
`424`		`- buildScan.value("Git repository", redactUserInfo(gitRepo));`
	`424`	`+ redactUserInfo(gitRepo).ifPresent(redactedGitRepo -> buildScan.value("Git repository", redactedGitRepo));`
`425`	`425`	`}`
`426`	`426`	`if (isNotEmpty(gitCommitId)) {`
`427`	`427`	`buildScan.value("Git commit id", gitCommitId);`