Regular expression in `scrub` produces incorrect results if URL path portion contains a bare '@'
opened this issue · comments
In https://github.com/dscape/nano/blob/master/lib/nano.js#L64, (.*)@
is being used instead of the non-greedy (.*?)@
or ([^@]*)@
– this matches up until the last occurrence of @
, rather than the first. If the URL's path component contains a bare @
, the entire hostname and a portion of the path could be stripped. For example, scrub('https://foo:bar@host/foo/bar/@quux')
will yield "https://XXXXXX:XXXXXX@quux"
instead of "https://XXXXXX:XXXXXX@host/foo/bar/@quux"
.
I can't see any way to exploit this beyond potentially hiding URL contents in logs, but admittedly haven't investigated closely.
This repository has been merged into apache/couchdb-nano, please continue the discussion here