Regular expression in scrub produces incorrect results if URL path portion contains a bare '@'

[ghost]

In https://github.com/dscape/nano/blob/master/lib/nano.js#L64, (.*)@ is being used instead of the non-greedy (.*?)@ or ([^@]*)@ – this matches up until the last occurrence of @, rather than the first. If the URL's path component contains a bare @, the entire hostname and a portion of the path could be stripped. For example, scrub('https://foo:bar@host/foo/bar/@quux') will yield "https://XXXXXX:XXXXXX@quux" instead of "https://XXXXXX:XXXXXX@host/foo/bar/@quux".

I can't see any way to exploit this beyond potentially hiding URL contents in logs, but admittedly haven't investigated closely.

[carlosduclos]

This repository has been merged into apache/couchdb-nano, please continue the discussion here