From a4b97075aed34b7f222d1f1c694a7507eda51437 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Mon, 27 Apr 2026 11:00:39 +0100
Subject: [PATCH] fix: align support URL redaction

---
 src/logging/diagnostic-support-redaction.ts | 5 ++---
 src/logging/redact.ts                       | 2 --
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/logging/diagnostic-support-redaction.ts b/src/logging/diagnostic-support-redaction.ts
index 60bb7926e69..caa926f8c7e 100644
--- a/src/logging/diagnostic-support-redaction.ts
+++ b/src/logging/diagnostic-support-redaction.ts
@@ -20,8 +20,7 @@ const COOKIE_HEADER_RE = /\b(Cookie|Set-Cookie)\s*:\s*[^\r\n]+/giu;
 const AWS_ACCESS_KEY_ID_RE = /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/gu;
 const JWT_RE = /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/gu;
 const URL_USERINFO_RE = /\b([a-z][a-z0-9+.-]*:\/\/)([^/@\s:?#]+)(?::([^/@\s?#]+))?@/giu;
-const URL_SENSITIVE_PARAM_RE =
-  /([?&])(api[-_]?key|apikey|access[-_]?token|auth[-_]?token|client[-_]?secret|hook[-_]?token|refresh[-_]?token|token|key|secret|password|pass|passwd|auth|signature)=([^&#\s)"'<>]+)(?:&[^#\s)"'<>]*)?/giu;
+const URL_PARAM_RE = /([?&])([^=&\s]+)=([^&#\s]+)/giu;
 const EMAIL_RE = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/giu;
 const MATRIX_USER_ID_RE = /@[A-Za-z0-9._=-]+:[A-Za-z0-9.-]+/gu;
 const MATRIX_ROOM_ID_RE = /![A-Za-z0-9._=-]+:[A-Za-z0-9.-]+/gu;
@@ -307,7 +306,7 @@ function redactUrlSecretsForSupport(value: string): string {
     .replace(URL_USERINFO_RE, (_match, scheme: string, _username: string, password?: string) =>
       password ? `${scheme}<redacted>:<redacted>@` : `${scheme}<redacted>@`,
     )
-    .replace(URL_SENSITIVE_PARAM_RE, (match, prefix: string, key: string) =>
+    .replace(URL_PARAM_RE, (match, prefix: string, key: string) =>
       isSensitiveUrlQueryParamName(key) ? `${prefix}${key}=<redacted>` : match,
     );
 }
diff --git a/src/logging/redact.ts b/src/logging/redact.ts
index 8dc8e303b7a..230cb2c83ef 100644
--- a/src/logging/redact.ts
+++ b/src/logging/redact.ts
@@ -21,8 +21,6 @@ const DEFAULT_REDACT_PATTERNS: string[] = [
   String.raw`"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"`,
   // CLI flags.
   String.raw`--(?:api[-_]?key|hook[-_]?token|token|secret|password|passwd)\s+(["']?)([^\s"']+)\1`,
-  // URL query credentials.
-  String.raw`/([?&](?:api[-_]?key|apikey|access[-_]?token|auth[-_]?token|client[-_]?secret|hook[-_]?token|refresh[-_]?token|token|key|secret|password|pass|passwd|auth|signature)=)([^&#\s)"'<>]+)/giu`,
   // Authorization headers.
   String.raw`Authorization\s*[:=]\s*Bearer\s+([A-Za-z0-9._\-+=]+)`,
   String.raw`\bBearer\s+([A-Za-z0-9._\-+=]{18,})\b`,