Merge pull request #1319 from sjmudd/sjmudd/orchestrator_client_santi…

…se_url If access to ORCHESTRATOR_API fails do not expose the password(s)
openark · Mar 4, 2021 · d36f90c · d36f90c
2 parents 9fca91d + 67df7bd
commit d36f90c
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/resources/bin/orchestrator-client b/resources/bin/orchestrator-client
@@ -212,10 +212,12 @@ function detect_leader_api {
   # - in which case we just normalize the URL
   # or it may be a space delimited list, such as "http://host1:3000/api http://host2:3000/api http://host3:3000/api "
   # - in which case we figure out which of the URLs is the leader
+  # Prevent leaking passwords if the URL has credentials like: http://<user>:<password>@host:3000/api
   local curl_auth_params="$(get_curl_auth_params)"
 
   if [ "${curl_auth_params}" == "$unauthorized_401" ] ; then
-    fail "Cannot access orchestrator at ${orchestrator_api}.  Check ORCHESTRATOR_API is configured correctly and orchestrator is running"
+    santised_api=$(echo "${orchestrator_api}" | sed -e 's|:[^:^@^ ]*@|:<REMOVED>@|g')
+    fail "Cannot access orchestrator at ${santised_api}.  Check ORCHESTRATOR_API is configured correctly and orchestrator is running"
   fi
 
   leader_api=