fix: redact credentials in browser.cdpUrl config paths (#67679)

Merged via squash. Prepared head SHA: 77bc2c50ce Co-authored-by: Ziy1-Tan <49604965+Ziy1-Tan@users.noreply.github.com> Co-authored-by: hxy91819 <8814856+hxy91819@users.noreply.github.com> Reviewed-by: @hxy91819
2026-05-16 08:50:44 +00:00 · 2026-04-18 14:22:58 +08:00
parent c778562379
commit 4b5987829d
8 changed files with 171 additions and 3 deletions
--- a/src/shared/net/redact-sensitive-url.test.ts
+++ b/src/shared/net/redact-sensitive-url.test.ts
@@ -51,6 +51,12 @@ describe("sensitive URL config metadata", () => {
    expect(isSensitiveUrlConfigPath("gateway.remote.url")).toBe(false);
  });

+  it("recognizes cdpUrl config paths as sensitive (browser CDP URLs can embed credentials)", () => {
+    expect(isSensitiveUrlConfigPath("browser.cdpUrl")).toBe(true);
+    expect(isSensitiveUrlConfigPath("browser.profiles.remote.cdpUrl")).toBe(true);
+    expect(isSensitiveUrlConfigPath("browser.profiles.staging.cdpUrl")).toBe(true);
+  });
+
  it("uses an explicit url-secret hint tag", () => {
    expect(SENSITIVE_URL_HINT_TAG).toBe("url-secret");
    expect(hasSensitiveUrlHintTag({ tags: [SENSITIVE_URL_HINT_TAG] })).toBe(true);
--- a/src/shared/net/redact-sensitive-url.ts
+++ b/src/shared/net/redact-sensitive-url.ts
@@ -25,6 +25,9 @@ export function isSensitiveUrlConfigPath(path: string): boolean {
  if (path.endsWith(".baseUrl") || path.endsWith(".httpUrl")) {
    return true;
  }
+  if (path.endsWith(".cdpUrl")) {
+    return true;
+  }
  if (path.endsWith(".request.proxy.url")) {
    return true;
  }