fix(security): redact URL userinfo in scheme-validation error messages

mickenordin · mickenordin · commit 25e3e027872d · 2026-04-17T13:48:11.000+02:00
A URL configured with embedded credentials (e.g. https://user:pw@host/) would be echoed verbatim into error messages and logs on rejection, leaking the password. Strip userinfo before formatting; for unparseable URLs, don't echo the raw input at all. Addresses Copilot review on #63.
diff --git a/src-tauri/src/mail/url_validation.rs b/src-tauri/src/mail/url_validation.rs
@@ -1,5 +1,20 @@
 use crate::error::{Error, Result};
 
+/// Format a URL for display in error messages with userinfo (user:password)
+/// stripped so credentials can't leak into logs or surfaced error text.
+/// Unparseable URLs are reported as `<invalid URL>` to avoid echoing back
+/// raw input that may also contain secrets.
+fn redact_url(url: &str) -> String {
+    match url::Url::parse(url) {
+        Ok(mut parsed) => {
+            let _ = parsed.set_username("");
+            let _ = parsed.set_password(None);
+            parsed.into()
+        }
+        Err(_) => "<invalid URL>".to_string(),
+    }
+}
+
 /// Reject URLs that would send credentials over cleartext.
 ///
 /// Accepts `https://` URLs. In debug builds, `http://` is permitted for
@@ -8,14 +23,15 @@ use crate::error::{Error, Result};
 /// URLs unconditionally.
 pub fn require_https(url: &str) -> Result<()> {
     let parsed = url::Url::parse(url)
-        .map_err(|e| Error::Other(format!("Invalid URL '{}': {}", url, e)))?;
+        .map_err(|e| Error::Other(format!("Invalid URL: {}", e)))?;
 
     match parsed.scheme() {
         "https" => Ok(()),
         "http" if cfg!(debug_assertions) && is_loopback_host(parsed.host_str()) => Ok(()),
         scheme => Err(Error::Other(format!(
             "URL must use https:// (got '{}'): {}",
-            scheme, url
+            scheme,
+            redact_url(url)
         ))),
     }
 }
@@ -94,4 +110,27 @@ mod tests {
         assert!(require_https("http://8.8.8.8").is_err());
         assert!(require_https("http://[2001:db8::1]").is_err());
     }
+
+    #[test]
+    fn error_message_redacts_userinfo() {
+        let err = require_https("http://user:secret@example.com/path")
+            .unwrap_err()
+            .to_string();
+        assert!(!err.contains("secret"), "password leaked in error: {}", err);
+        assert!(!err.contains("user:"), "userinfo leaked in error: {}", err);
+        assert!(err.contains("example.com"), "expected host in error: {}", err);
+    }
+
+    #[test]
+    fn error_message_for_unparseable_url_does_not_echo_input() {
+        // Something that looks like userinfo but isn't a valid URL.
+        let err = require_https("http://user:topsecret!garbled")
+            .unwrap_err()
+            .to_string();
+        assert!(
+            !err.contains("topsecret"),
+            "parse-failure error leaked input: {}",
+            err
+        );
+    }
 }
