tune URL handling and refine tests

Author: daveshanley

cmd/html_report.go

@@ -93,8 +93,8 @@ func generateHTMLReport(commits []*model.Commit, breakingConfig *whatChangedMode
 		History:       history,
 	}
 
-	// For left/right comparisons, preserve explicit git-ref and URL labels while
-	// keeping plain local files compact.
+	// For left/right comparisons, preserve explicit git-ref labels, sanitize URL
+	// labels, and keep plain local files compact.
 	if len(args) == 2 && len(items) == 1 {
 		payload.OriginalPath = displayLabelForHTML(args[0])
 		payload.ModifiedPath = displayLabelForHTML(args[1])

cmd/html_report_test.go

@@ -77,7 +77,7 @@ func TestGenerateHTMLReport_LeftRightPreservesGitRefPaths(t *testing.T) {
 	assert.Contains(t, content, `"modifiedPath":"HEAD:openapi.yaml"`)
 }
 
-func TestGenerateHTMLReport_LeftRightPreservesURLPaths(t *testing.T) {
+func TestGenerateHTMLReport_LeftRightSanitizesURLPaths(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/left.yaml" {
 			_, _ = w.Write([]byte("openapi: 3.0.3\ninfo:\n  title: Left\n  version: '1.0'\npaths: {}\n"))
@@ -87,8 +87,8 @@ func TestGenerateHTMLReport_LeftRightPreservesURLPaths(t *testing.T) {
 	}))
 	defer server.Close()
 
-	leftURL := server.URL + "/left.yaml"
-	rightURL := server.URL + "/right.yaml"
+	leftURL := server.URL + "/left.yaml?token=left-secret#frag"
+	rightURL := server.URL + "/right.yaml?token=right-secret#frag"
 
 	commits, err := loadLeftRightCommits(leftURL, rightURL, summaryOpts{noColor: true})
 	require.NoError(t, err)
@@ -98,8 +98,10 @@ func TestGenerateHTMLReport_LeftRightPreservesURLPaths(t *testing.T) {
 	require.NotNil(t, report)
 
 	content := string(report)
-	assert.Contains(t, content, `"originalPath":"`+leftURL+`"`)
-	assert.Contains(t, content, `"modifiedPath":"`+rightURL+`"`)
+	assert.Contains(t, content, `"originalPath":"`+server.URL+`/left.yaml"`)
+	assert.Contains(t, content, `"modifiedPath":"`+server.URL+`/right.yaml"`)
+	assert.NotContains(t, content, "left-secret")
+	assert.NotContains(t, content, "right-secret")
 }
 
 func TestBuildHTMLReportItems_AllCommitsFail(t *testing.T) {

cmd/left_right_sources.go

@@ -183,27 +183,29 @@ func resolveGitRefSource(raw, revision, filePath string, opts summaryOpts) (comp
 }
 
 func resolveURLSource(raw string, opts summaryOpts) (comparisonSource, error) {
+	display := sanitizeURLLabel(raw)
+
 	resp, err := httpGet(raw)
 	if err != nil {
-		return comparisonSource{}, fmt.Errorf("error downloading file '%s': %w", raw, err)
+		return comparisonSource{}, fmt.Errorf("error downloading file '%s': %w", display, err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
-		return comparisonSource{}, fmt.Errorf("error downloading file '%s': unexpected status %s", raw, resp.Status)
+		return comparisonSource{}, fmt.Errorf("error downloading file '%s': unexpected status %s", display, resp.Status)
 	}
 
 	const maxDownloadSize = 100 << 20 // 100 MB
 	bits, err := io.ReadAll(io.LimitReader(resp.Body, maxDownloadSize))
 	if err != nil {
-		return comparisonSource{}, fmt.Errorf("error reading downloaded file '%s': %w", raw, err)
+		return comparisonSource{}, fmt.Errorf("error reading downloaded file '%s': %w", display, err)
 	}
 	if len(bits) == 0 {
-		return comparisonSource{}, fmt.Errorf("downloaded file '%s' is empty", raw)
+		return comparisonSource{}, fmt.Errorf("downloaded file '%s' is empty", display)
 	}
 
 	baseURL, err := url.Parse(raw)
 	if err != nil {
-		return comparisonSource{}, fmt.Errorf("invalid URL '%s': %w", raw, err)
+		return comparisonSource{}, fmt.Errorf("invalid URL '%s': %w", display, err)
 	}
 	baseURL.Path = path.Dir(baseURL.Path)
 	baseURL.RawQuery = ""
@@ -230,13 +232,28 @@ func resolveURLSource(raw string, opts summaryOpts) (comparisonSource, error) {
 	}
 
 	return comparisonSource{
-		Display:   raw,
+		Display:   display,
 		RootBytes: bits,
 		DocConfig: docConfig,
 		Cleanup:   func() {},
 	}, nil
 }
 
+func sanitizeURLLabel(raw string) string {
+	if !isHTTPURL(raw) {
+		return raw
+	}
+
+	parsed, err := url.Parse(raw)
+	if err != nil || parsed == nil {
+		return raw
+	}
+	parsed.User = nil
+	parsed.RawQuery = ""
+	parsed.Fragment = ""
+	return parsed.String()
+}
+
 func attachLazyLocalFS(docConfig *datamodel.DocumentConfiguration) error {
 	if docConfig == nil || docConfig.BasePath == "" || !docConfig.AllowFileReferences || docConfig.LocalFS != nil {
 		return nil

cmd/loaders.go

@@ -327,7 +327,7 @@ func displayLabelForHTML(raw string) string {
 		return raw
 	}
 	if isHTTPURL(raw) {
-		return raw
+		return sanitizeURLLabel(raw)
 	}
 	return filepath.Base(raw)
 }

cmd/loaders_test.go

@@ -185,13 +185,13 @@ func TestResolveGitRefSource_RequiresGitRepo(t *testing.T) {
 	assert.Contains(t, err.Error(), "requires the current working directory to be inside a git repository")
 }
 
-func TestResolveComparisonSource_URLPreservesDisplay(t *testing.T) {
+func TestResolveComparisonSource_URLSanitizesDisplay(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte("openapi: 3.0.3\ninfo:\n  title: test\n  version: '1.0'\npaths: {}\n"))
 	}))
 	defer server.Close()
 
-	source, err := resolveComparisonSource(server.URL+"/spec.yaml", summaryOpts{})
+	source, err := resolveComparisonSource(server.URL+"/spec.yaml?token=secret#section", summaryOpts{})
 	require.NoError(t, err)
 
 	assert.Equal(t, server.URL+"/spec.yaml", source.Display)
@@ -223,7 +223,7 @@ func TestResolveComparisonSource_URLReturnsStatusErrors(t *testing.T) {
 	assert.Contains(t, err.Error(), "unexpected status 404 Not Found")
 }
 
-func TestLoadLeftRightCommits_PreservesRawDisplayLabels(t *testing.T) {
+func TestLoadLeftRightCommits_UsesSafeDisplayLabels(t *testing.T) {
 	wd, err := os.Getwd()
 	require.NoError(t, err)
 	repoRoot := filepath.Clean(filepath.Join(wd, ".."))
@@ -257,7 +257,7 @@ func TestLoadLeftRightCommits_PreservesRawDisplayLabels(t *testing.T) {
 		},
 		{
 			name:          "url and local file",
-			left:          server.URL + "/spec.yaml",
+			left:          server.URL + "/spec.yaml?token=secret#section",
 			right:         "sample-specs/petstorev3.json",
 			originalLabel: server.URL + "/spec.yaml",
 			modifiedLabel: "sample-specs/petstorev3.json",

cmd/summary_test.go

@@ -351,7 +351,7 @@ paths: {}
 	assert.True(t, hasChanges)
 }
 
-func TestLoadLeftRightCommits_DownloadedFilesPreserveRawLabels(t *testing.T) {
+func TestLoadLeftRightCommits_DownloadedFilesSanitizeURLLabels(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte(`openapi: 3.0.3
 info:
@@ -362,14 +362,17 @@ paths: {}
 	}))
 	defer server.Close()
 
-	leftURL := server.URL + "/left.yaml"
-	rightURL := server.URL + "/right.yaml"
+	leftURL := server.URL + "/left.yaml?token=left-secret#frag"
+	rightURL := server.URL + "/right.yaml?token=right-secret#frag"
 
 	commits, err := loadLeftRightCommits(leftURL, rightURL, summaryOpts{})
 
 	require.NoError(t, err)
 	require.Len(t, commits, 1)
-	assert.Equal(t, "Original: "+leftURL+", Modified: "+rightURL, commits[0].Message)
+	assert.Equal(t,
+		"Original: "+server.URL+"/left.yaml, Modified: "+server.URL+"/right.yaml",
+		commits[0].Message,
+	)
 }
 
 func TestRenderSummary_GitRefExplodedSpecDetectsSiblingChanges(t *testing.T) {