From 1dbfd41462e91fd26ab8836246613c56a5344b4b Mon Sep 17 00:00:00 2001 From: Ziy1-Tan Date: Thu, 16 Apr 2026 20:44:52 +0800 Subject: [PATCH] fix: add cdpUrl to sensitive URL config path matching Browser CDP URLs (browser.cdpUrl, browser.profiles.*.cdpUrl) can embed credentials via query tokens (?token=xxx) or HTTP Basic auth (user:pass@host). Add .cdpUrl suffix to isSensitiveUrlConfigPath() so these paths are correctly redacted in config.get responses. Refs #67656, #53433 --- src/shared/net/redact-sensitive-url.test.ts | 6 ++++++ src/shared/net/redact-sensitive-url.ts | 3 +++ 2 files changed, 9 insertions(+) diff --git a/src/shared/net/redact-sensitive-url.test.ts b/src/shared/net/redact-sensitive-url.test.ts index d9dedf7e4ad..b72b90655cb 100644 --- a/src/shared/net/redact-sensitive-url.test.ts +++ b/src/shared/net/redact-sensitive-url.test.ts @@ -51,6 +51,12 @@ describe("sensitive URL config metadata", () => { expect(isSensitiveUrlConfigPath("gateway.remote.url")).toBe(false); }); + it("recognizes cdpUrl config paths as sensitive (browser CDP URLs can embed credentials)", () => { + expect(isSensitiveUrlConfigPath("browser.cdpUrl")).toBe(true); + expect(isSensitiveUrlConfigPath("browser.profiles.remote.cdpUrl")).toBe(true); + expect(isSensitiveUrlConfigPath("browser.profiles.staging.cdpUrl")).toBe(true); + }); + it("uses an explicit url-secret hint tag", () => { expect(SENSITIVE_URL_HINT_TAG).toBe("url-secret"); expect(hasSensitiveUrlHintTag({ tags: [SENSITIVE_URL_HINT_TAG] })).toBe(true); diff --git a/src/shared/net/redact-sensitive-url.ts b/src/shared/net/redact-sensitive-url.ts index 144d0ead19b..c2a3f379f27 100644 --- a/src/shared/net/redact-sensitive-url.ts +++ b/src/shared/net/redact-sensitive-url.ts @@ -25,6 +25,9 @@ export function isSensitiveUrlConfigPath(path: string): boolean { if (path.endsWith(".baseUrl") || path.endsWith(".httpUrl")) { return true; } + if (path.endsWith(".cdpUrl")) { + return true; + } if (path.endsWith(".request.proxy.url")) { return true; }