fix: correct password redaction

Avoids setting '***' at the start of urls witout passwords, avoids hazard if a password is 'https:'.
npm · Aug 17, 2020 · 110032b · 110032b
1 parent 2275f55
commit 110032b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/check-response.js b/check-response.js
@@ -32,9 +32,12 @@ function logRequest (method, res, startTime, opts) {
 
   let urlStr
   try {
-    const { URL } = require('url')
+    const URL = require('url').URL
     const url = new URL(res.url)
-    urlStr = res.url.replace(url.password, '***')
+    if (url.password) {
+      url.password = '***'
+    }
+    urlStr = url.toString()
   } catch (er) {
     urlStr = res.url
   }

diff --git a/package.json b/package.json
@@ -13,7 +13,7 @@
   "scripts": {
     "prerelease": "npm t",
     "postrelease": "npm publish && git push --follow-tags",
-    "pretest": "standard",
+    "posttest": "standard",
     "release": "standard-version -s",
     "test": "tap -J --coverage test/*.js",
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",