Check whether value is a URL in checkEnvVar and clear credentials

mbg · mbg · commit 99fcc7b2a12a · 2026-02-17T13:42:51.000Z
Note also that we run this after `getCredentials` which already instructs Actions to mask credentials that we know about in logs
diff --git a/lib/start-proxy-action.js b/lib/start-proxy-action.js
diff --git a/src/start-proxy/environment.test.ts b/src/start-proxy/environment.test.ts
@@ -29,12 +29,16 @@ function assertEnvVarLogMessages(
   t: ExecutionContext<any>,
   envVars: string[],
   messages: LoggedMessage[],
-  expectSet: boolean,
+  expectSet: boolean | string,
 ) {
-  const template = (envVar: string) =>
-    expectSet
+  const template = (envVar: string) => {
+    if (typeof expectSet === "string") {
+      return `Environment variable '${envVar}' is set to '${expectSet}'`;
+    }
+    return expectSet
       ? `Environment variable '${envVar}' is set to '${envVar}'`
       : `Environment variable '${envVar}' is not set`;
+  };
 
   const expected: string[] = [];
 
@@ -145,6 +149,23 @@ test("checkProxyEnvVars - logs values when variables are set", (t) => {
   assertEnvVarLogMessages(t, Object.values(ProxyEnvVars), messages, true);
 });
 
+test("checkProxyEnvVars - credentials are removed from URLs", (t) => {
+  const messages: LoggedMessage[] = [];
+  const logger = getRecordingLogger(messages);
+
+  for (const envVar of Object.values(ProxyEnvVars)) {
+    process.env[envVar] = "https://secret:password@proxy.local";
+  }
+
+  checkProxyEnvVars(logger);
+  assertEnvVarLogMessages(
+    t,
+    Object.values(ProxyEnvVars),
+    messages,
+    "https://proxy.local/",
+  );
+});
+
 test("checkProxyEnvironment - includes base checks for all known languages", (t) => {
   for (const language of Object.values(KnownLanguage)) {
     const messages: LoggedMessage[] = [];
diff --git a/src/start-proxy/environment.ts b/src/start-proxy/environment.ts
@@ -16,7 +16,14 @@ import { getErrorMessage, isDefined } from "../util";
 function checkEnvVar(logger: Logger, name: string): boolean {
   const value = process.env[name];
   if (isDefined(value)) {
-    logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    const url = URL.parse(value);
+    if (isDefined(url)) {
+      url.username = "";
+      url.password = "";
+      logger.info(`Environment variable '${name}' is set to '${url}'.`);
+    } else {
+      logger.info(`Environment variable '${name}' is set to '${value}'.`);
+    }
     return true;
   } else {
     logger.debug(`Environment variable '${name}' is not set.`);
