fix: URLs in error meta-messages (#4564)

fix: strip basic-auth credentials from URLs in error meta-messages

Previously, errors raised by HttpRequestError, WebSocketRequestError,
RpcRequestError, and TimeoutError formatted the request URL verbatim
in their meta-messages — which leaked basic-auth credentials when an
RPC URL of the form 'https://user:pass@host' was used.

'getUrl' (the single chokepoint shared by every URL-bearing error
formatter in src/errors/request.ts) is now a sanitizer: it parses the
URL and clears 'username'/'password' before returning, falling back
to the raw input on parse failure.

Amp-Thread-ID: https://ampcode.com/threads/T-019de09d-2011-716e-a2cc-bf98f248520d

Author: jxom

.changeset/strip-credentials-from-error-urls.md

@@ -0,0 +1,7 @@
+---
+"viem": patch
+---
+
+Stripped basic-auth credentials (`user:pass@`) from URLs surfaced in
+error meta-messages (`HttpRequestError`, `WebSocketRequestError`,
+`RpcRequestError`, `TimeoutError`).

src/errors/utils.test.ts

@@ -0,0 +1,37 @@
+import { expect, test } from 'vitest'
+
+import { getUrl } from './utils.js'
+
+test('passes a credential-free URL through unchanged', () => {
+  expect(getUrl('https://example.com/rpc')).toMatchInlineSnapshot(
+    `"https://example.com/rpc"`,
+  )
+})
+
+test('strips username + password', () => {
+  expect(getUrl('https://user:pass@example.com/rpc')).toMatchInlineSnapshot(
+    `"https://example.com/rpc"`,
+  )
+})
+
+test('strips a username-only credential', () => {
+  expect(getUrl('https://user@example.com/rpc')).toMatchInlineSnapshot(
+    `"https://example.com/rpc"`,
+  )
+})
+
+test('strips a password-only credential', () => {
+  expect(getUrl('https://:pass@example.com/rpc')).toMatchInlineSnapshot(
+    `"https://example.com/rpc"`,
+  )
+})
+
+test('preserves query string and hash after stripping', () => {
+  expect(
+    getUrl('https://user:pass@example.com/rpc?key=value#frag'),
+  ).toMatchInlineSnapshot(`"https://example.com/rpc?key=value#frag"`)
+})
+
+test('returns the input untouched when not a parseable URL', () => {
+  expect(getUrl('not-a-url')).toMatchInlineSnapshot(`"not-a-url"`)
+})

src/errors/utils.ts

@@ -3,4 +3,20 @@ import type { Address } from 'abitype'
 export type ErrorType<name extends string = 'Error'> = Error & { name: name }
 
 export const getContractAddress = (address: Address) => address
-export const getUrl = (url: string) => url
+
+/**
+ * Returns the URL with any embedded basic-auth credentials stripped, so
+ * error messages and logs don't leak secrets when an RPC URL like
+ * `https://user:pass@host` is used.
+ */
+export const getUrl = (url: string) => {
+  try {
+    const parsed = new URL(url)
+    if (!parsed.username && !parsed.password) return url
+    parsed.username = ''
+    parsed.password = ''
+    return parsed.toString()
+  } catch {
+    return url
+  }
+}