From 82bb67e5f629b32eb5c7030351fc8eb1da9e9ebb Mon Sep 17 00:00:00 2001
From: Gar <gar+gh@danger.computer>
Date: Thu, 9 Sep 2021 11:14:04 -0700
Subject: [PATCH] fix(error-message): clean urls from 404 error

If the package being installed is a url it needs to be cleaned before
logging so passwords aren't potentially logged.
---
 lib/utils/error-message.js                    |  2 +-
 .../test/lib/utils/error-message.js.test.cjs  | 42 +++++++++++++++++++
 test/lib/utils/error-message.js               |  8 ++++
 3 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/lib/utils/error-message.js b/lib/utils/error-message.js
index da97195dd04f0..ef37d0593ad91 100644
--- a/lib/utils/error-message.js
+++ b/lib/utils/error-message.js
@@ -181,7 +181,7 @@ module.exports = (er, npm) => {
         const pkg = er.pkgid.replace(/(?!^)@.*$/, '')
 
         detail.push(['404', ''])
-        detail.push(['404', '', "'" + er.pkgid + "' is not in the npm registry."])
+        detail.push(['404', '', `'${replaceInfo(er.pkgid)}' is not in the npm registry.`])
 
         const valResult = nameValidator(pkg)
 
diff --git a/tap-snapshots/test/lib/utils/error-message.js.test.cjs b/tap-snapshots/test/lib/utils/error-message.js.test.cjs
index e8f817cd15f00..6e163a4944c9e 100644
--- a/tap-snapshots/test/lib/utils/error-message.js.test.cjs
+++ b/tap-snapshots/test/lib/utils/error-message.js.test.cjs
@@ -5,6 +5,48 @@
  * Make sure to inspect the output below.  Do not ignore changes!
  */
 'use strict'
+exports[`test/lib/utils/error-message.js TAP 404 cleans sensitive info from package id > must match snapshot 1`] = `
+Object {
+  "detail": Array [
+    Array [
+      "404",
+      "",
+    ],
+    Array [
+      "404",
+      "",
+      "'http://evil:***@npmjs.org/not-found' is not in the npm registry.",
+    ],
+    Array [
+      "404",
+      "This package name is not valid, because",
+      "",
+    ],
+    Array [
+      "404",
+      " 1. name can only contain URL-friendly characters",
+    ],
+    Array [
+      "404",
+      String(
+        
+        Note that you can also install from a
+      ),
+    ],
+    Array [
+      "404",
+      "tarball, folder, http url, or git url.",
+    ],
+  ],
+  "summary": Array [
+    Array [
+      "404",
+      "not found",
+    ],
+  ],
+}
+`
+
 exports[`test/lib/utils/error-message.js TAP 404 name with error > must match snapshot 1`] = `
 Object {
   "detail": Array [
diff --git a/test/lib/utils/error-message.js b/test/lib/utils/error-message.js
index 07328d588759b..d1c67a95137c4 100644
--- a/test/lib/utils/error-message.js
+++ b/test/lib/utils/error-message.js
@@ -423,6 +423,14 @@ t.test('404', t => {
     t.matchSnapshot(errorMessage(er, npm))
     t.end()
   })
+  t.test('cleans sensitive info from package id', t => {
+    const er = Object.assign(new Error('404 not found'), {
+      pkgid: 'http://evil:password@npmjs.org/not-found',
+      code: 'E404',
+    })
+    t.matchSnapshot(errorMessage(er, npm))
+    t.end()
+  })
   t.end()
 })