From 8d121222929936fb3e8ff90cd3c822144852560d Mon Sep 17 00:00:00 2001
From: Tristan Otterpohl <Tristan.Otterpohl@Outlook.com>
Date: Tue, 19 Aug 2025 10:50:43 +0100
Subject: [PATCH] Parse URL to safely format error message without exposing
 credentials in indices and snapshot collectors

Signed-off-by: Tristan Otterpohl <tristan.otterpohl@forter.com>
---
 collector/util.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/collector/util.go b/collector/util.go
index fc1eaaa6..df2afb13 100644
--- a/collector/util.go
+++ b/collector/util.go
@@ -19,6 +19,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"net/url"
 )
 
 func getURL(ctx context.Context, hc *http.Client, log *slog.Logger, u string) ([]byte, error) {
@@ -29,7 +30,13 @@ func getURL(ctx context.Context, hc *http.Client, log *slog.Logger, u string) ([
 
 	resp, err := hc.Do(req)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get %s: %v", u, err)
+		// Parse URL to safely format error message without exposing credentials
+		if parsedURL, parseErr := url.Parse(u); parseErr == nil {
+			return nil, fmt.Errorf("failed to get %s://%s:%s%s: %v",
+				parsedURL.Scheme, parsedURL.Hostname(), parsedURL.Port(), parsedURL.Path, err)
+		}
+		// Fallback if URL parsing fails - still avoid exposing full URL
+		return nil, fmt.Errorf("failed to get URL: %v", err)
 	}
 
 	defer func() {