Skip to content

Commit b82aee0

Browse files
bjornrobertssonbjornrobertsson
committed
Fix RedactURL: handle IPv6 URLs correctly
Move standard URL parsing back before SCP check, but require both scheme AND host to be non-empty. This correctly handles: - oauth2:token@host:path (scheme=oauth2, host=empty → SCP fallback) - https://user@[2001:db8::1]/path (scheme=https, host=[2001:db8::1] → standard URL)
1 parent afcce7f commit b82aee0

1 file changed

Lines changed: 12 additions & 12 deletions

File tree

git/git.go

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -473,18 +473,7 @@ func SameHost(url1, url2 string) bool {
473473
// - Various schemes: http, https, ssh, git, ftp, sftp
474474
// - IPv6 hosts: https://user@[2001:db8::1]/path
475475
func RedactURL(u string) string {
476-
// Handle SCP-like URLs first: user@host:path (no scheme)
477-
// Must check this BEFORE url.Parse because urls like "oauth2:token@host:path"
478-
// get misinterpreted as having scheme "oauth2".
479-
// This catches: git@github.com:org/repo, deploy@host:repo, oauth2:token@gitlab.com:org/repo
480-
if matches := scpLikeURLRegex.FindStringSubmatch(u); matches != nil {
481-
// matches[1] = user part (could be git, deploy, oauth2:token, etc.)
482-
// matches[2] = host
483-
// matches[3] = path
484-
return "***@" + matches[2] + ":" + matches[3]
485-
}
486-
487-
// Try to parse as a standard URL (handles most schemes)
476+
// Try to parse as a standard URL first (handles schemes like https://, ssh://, etc.)
488477
parsed, err := url.Parse(u)
489478
if err == nil && parsed.Scheme != "" && parsed.Host != "" {
490479
// Successfully parsed as a URL with a scheme and host
@@ -503,6 +492,17 @@ func RedactURL(u string) string {
503492
return parsed.String()
504493
}
505494

495+
// Handle SCP-like URLs: user@host:path (no scheme)
496+
// Only check this if url.Parse didn't find a valid scheme+host
497+
// (to avoid matching URLs like https://user@[ipv6]:path)
498+
// This catches: git@github.com:org/repo, deploy@host:repo, oauth2:token@gitlab.com:org/repo
499+
if matches := scpLikeURLRegex.FindStringSubmatch(u); matches != nil {
500+
// matches[1] = user part (could be git, deploy, oauth2:token, etc.)
501+
// matches[2] = host
502+
// matches[3] = path
503+
return "***@" + matches[2] + ":" + matches[3]
504+
}
505+
506506
// If we can't parse it and it's not SCP-like, return as-is
507507
// (probably not a URL with credentials)
508508
return u

0 commit comments

Comments
 (0)