From cea2684a29da29c849ddf231fbaf9affd9a9b27d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Toni=20F=C3=B6rster?= <toni.foerster@gmail.com>
Date: Wed, 28 Aug 2024 16:21:49 +0200
Subject: [PATCH] sanitise user and password in url
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Toni Förster <toni.foerster@gmail.com>
---
 Model/Accounts/AccountsBridge.swift | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/Model/Accounts/AccountsBridge.swift b/Model/Accounts/AccountsBridge.swift
index 70fe94e3..8997dade 100644
--- a/Model/Accounts/AccountsBridge.swift
+++ b/Model/Accounts/AccountsBridge.swift
@@ -10,11 +10,28 @@ struct AccountsBridge: Defaults.Bridge {
             return nil
         }
 
+        // Parse the urlString to check for embedded username and password
+        var sanitizedUrlString = value.urlString
+        if var urlComponents = URLComponents(string: value.urlString) {
+            if let user = urlComponents.user, let password = urlComponents.password {
+                // Sanitize the embedded username and password
+                let sanitizedUser = user.addingPercentEncoding(withAllowedCharacters: .urlUserAllowed) ?? user
+                let sanitizedPassword = password.addingPercentEncoding(withAllowedCharacters: .urlPasswordAllowed) ?? password
+
+                // Update the URL components with sanitized credentials
+                urlComponents.user = sanitizedUser
+                urlComponents.password = sanitizedPassword
+
+                // Reconstruct the sanitized URL
+                sanitizedUrlString = urlComponents.string ?? value.urlString
+            }
+        }
+
         return [
             "id": value.id,
             "instanceID": value.instanceID ?? "",
             "name": value.name,
-            "apiURL": value.urlString,
+            "apiURL": sanitizedUrlString,
             "username": value.username,
             "password": value.password ?? ""
         ]