DownloadManager: add redact_url= kwarg to hide auth-bearing URLs in logs

Richard Taylor · claude · Richard Taylor · commit e608c658dc8b · 2026-05-13T15:17:13.000+01:00
`DownloadManager.download_url` currently prints the full request URL three times per download (start, finished, exception path), plus the entire response headers dict. That's useful debug output for the typical callers fetching public URLs (app icons, OS updates, weather data) — but it silently leaks any auth secret embedded in a URL's path or query string. Two real cases discovered in the wild: 1. Lightning Piggy's on-chain wallet (LightningPiggyApp PR #25) queries `https://btc1.trezor.io/api/v2/xpub/zpub6q...?details=txs&tokens=derived` to fetch balance + transactions for a watch-only xpub. The xpub itself is in the path. A leaked xpub exposes the wallet's entire past + future address derivation tree to whoever reads the log — non-recoverable confidentiality damage even though funds custody is unaffected. 2. Any future caller using API-key-in-URL or OAuth-token-in-URL authentication. Pattern is common enough (LNBits, BlueWallet's LNDHub, some HTTPS RPC endpoints) that the leak surface is wider than just Lightning Piggy. The Lightning Piggy app already scrubs xpubs from its own print() calls, but DownloadManager's prints sit below that and re-leak the URL on every poll. This PR adds a `redact_url=False` kwarg (default preserves current behaviour). When set True: - The URL is logged as `scheme://host[:port]/...REDACTED...` instead of full. The host is intentionally kept so failure triage (DNS, connectivity, wrong endpoint) is still possible. - The response-headers dump is suppressed entirely (replaced with `<redacted>`). Response headers often contain `set-cookie`, `cf-ray`, and other correlatable session tokens. - Exception messages have the URL substring scrubbed before printing (aiohttp's ClientConnectorError typically embeds the URL). Default False is deliberate — most callers fetch public URLs and want the full log line for diagnostics. Callers opt in: await DownloadManager.download_url(url, redact_url=True) Tests (`tests/test_download_manager.py`): - 6 unit tests for the new `_safe_url` helper (path-with-query strip, port handling, naked-host pass-through, malformed-URL placeholder, belt-and-braces "secret substrings never appear in output" guard). - 2 mock-surface tests confirming the kwarg flows through correctly and defaults to False. - All 22 existing tests continue to pass (default behaviour unchanged). $ bash tests/unittest.sh tests/test_download_manager.py Ran 30 tests OK The Lightning Piggy on-chain wallet PR will follow up on its side to pass `redact_url=True` once this lands; that's a one-line change in `onchain_wallet.py:fetch_balance_and_payments()`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,9 @@ Board Support:
 OS:
 - Disable the repl on hardware uart for esp32s3 targets (USB serial still works)
 
+Frameworks:
+- `DownloadManager.download_url`: add `redact_url=True` kwarg for callers fetching URLs that embed an auth secret (API key, OAuth token, LNBits readkey, xpub/ypub/zpub). When set, the URL is logged as `scheme://host/...REDACTED...`, the response-headers dump is suppressed, and exception messages have any embedded URL scrubbed. Default `False` preserves existing debug output for callers fetching public URLs (app icons, OS updates, etc.). Use case: prevents serial / REPL logs from leaking the secret-bearing URL even when DEBUG-level chatter is on.
+
 0.9.5
 =====
 
diff --git a/internal_filesystem/lib/mpos/net/download_manager.py b/internal_filesystem/lib/mpos/net/download_manager.py
@@ -28,12 +28,12 @@ class DownloadManager:
     @classmethod
     def download_url(cls, url, outfile=None, total_size=None,
                     progress_callback=None, chunk_callback=None, headers=None,
-                    speed_callback=None):
+                    speed_callback=None, redact_url=False):
         """Download a URL with flexible output modes (sync or async wrapper).
-        
+
         This method automatically detects whether it's being called from an async context
         and either returns a coroutine (for await) or runs synchronously.
-        
+
         Args:
             url (str): URL to download (required)
             outfile (str, optional): Path to write file. If None, returns bytes.
@@ -42,12 +42,21 @@ def download_url(cls, url, outfile=None, total_size=None,
             chunk_callback (coroutine, optional): async def callback(chunk: bytes)
             headers (dict, optional): HTTP headers (e.g., {'Range': 'bytes=1000-'})
             speed_callback (coroutine, optional): async def callback(bytes_per_second: float)
-        
+            redact_url (bool, optional): Opt in to redacting the URL in log
+                output and the response-headers dump. Set True whenever the
+                URL embeds an auth secret in its path or query string &mdash;
+                e.g. an API key, an OAuth token, an LNBits readkey, or an
+                xpub/ypub/zpub (which exposes the wallet's whole derivation
+                tree). Only the `scheme://host[:port]` prefix is kept in
+                logs; path + query are replaced with "/...REDACTED...".
+                Defaults to False to preserve current debug output for
+                callers fetching public URLs (app icons, OS updates, etc.).
+
         Returns:
             bytes: Downloaded content (if outfile and chunk_callback are None)
             bool: True if successful (when using outfile or chunk_callback)
             coroutine: If called from async context, returns awaitable
-        
+
         Raises:
             ValueError: If both outfile and chunk_callback are provided
         """
@@ -59,20 +68,44 @@ def download_url(cls, url, outfile=None, total_size=None,
                 # We're in an async context, return the coroutine
                 return cls._download_url_async(url, outfile, total_size,
                                               progress_callback, chunk_callback, headers,
-                                              speed_callback)
+                                              speed_callback, redact_url)
             except RuntimeError:
                 # No running event loop, run synchronously
                 return asyncio.run(cls._download_url_async(url, outfile, total_size,
                                                           progress_callback, chunk_callback, headers,
-                                                          speed_callback))
+                                                          speed_callback, redact_url))
         except ImportError:
             # asyncio not available, shouldn't happen but handle gracefully
             raise ImportError("asyncio module not available")
-    
+
+    @staticmethod
+    def _safe_url(url):
+        """Return a log-safe rendering of `url` for use when the original URL
+        carries a secret in its path or query string. Strips everything
+        after `scheme://host[:port]` and replaces it with "/...REDACTED...".
+
+        Examples:
+            https://example.com/api/v2/xpub/zpub6q...  -> https://example.com/...REDACTED...
+            https://api.example.com:8080/p?key=abc     -> https://api.example.com:8080/...REDACTED...
+            https://example.com                        -> https://example.com  (no path to redact)
+            not-a-url                                  -> ...REDACTED...
+        """
+        try:
+            scheme_end = url.find("://")
+            if scheme_end < 0:
+                return "...REDACTED..."
+            path_start = url.find("/", scheme_end + 3)
+            if path_start < 0:
+                # No path component &mdash; nothing sensitive to strip.
+                return url
+            return url[:path_start] + "/...REDACTED..."
+        except Exception:
+            return "...REDACTED..."
+
     @classmethod
     async def _download_url_async(cls, url, outfile=None, total_size=None,
                                  progress_callback=None, chunk_callback=None, headers=None,
-                                 speed_callback=None):
+                                 speed_callback=None, redact_url=False):
         """Download a URL with flexible output modes.
         
         Args:
@@ -83,11 +116,14 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
             chunk_callback (coroutine, optional): async def callback(chunk: bytes)
             headers (dict, optional): HTTP headers (e.g., {'Range': 'bytes=1000-'})
             speed_callback (coroutine, optional): async def callback(bytes_per_second: float)
-        
+            redact_url (bool, optional): When True, log a redacted URL
+                (scheme://host only) and suppress the response-headers dump.
+                See `download_url` for details and use cases.
+
         Returns:
             bytes: Downloaded content (if outfile and chunk_callback are None)
             bool: True if successful (when using outfile or chunk_callback)
-        
+
         Raises:
             ValueError: If both outfile and chunk_callback are provided
         """
@@ -98,6 +134,11 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
                 "Use outfile for saving to disk, or chunk_callback for streaming."
             )
 
+        # Compute the log-safe rendering once; used for every URL-bearing print
+        # below. When redact_url is False this is just the original URL, so
+        # existing behaviour is preserved verbatim.
+        log_url = cls._safe_url(url) if redact_url else url
+
         import aiohttp
         session = aiohttp.ClientSession()
         sslctx = None # for http
@@ -106,7 +147,7 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
             sslctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
             sslctx.verify_mode = ssl.CERT_OPTIONAL # CERT_REQUIRED might fail because MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
 
-        print(f"DownloadManager: Downloading {url}")
+        print(f"DownloadManager: Downloading {log_url}")
         
         fd = None
         try:
@@ -120,7 +161,13 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
                     raise RuntimeError(f"HTTP {response.status}")
                 
                 # Figure out total size and starting offset (for resume support)
-                print("DownloadManager: Response headers:", response.headers)
+                # When redacting, suppress the headers dump entirely &mdash; response
+                # headers can include `set-cookie`, `cf-ray` and other tokens
+                # that correlate to the request's secret-bearing URL.
+                if redact_url:
+                    print("DownloadManager: Response headers: <redacted>")
+                else:
+                    print("DownloadManager: Response headers:", response.headers)
                 resume_offset = 0  # Starting byte offset (0 for new downloads, >0 for resumed)
                 
                 if total_size is None:
@@ -241,7 +288,7 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
                                 speed_last_update_time = current_time
                     else:
                         # Chunk is None, download complete
-                        print(f"DownloadManager: Finished downloading {url}")
+                        print(f"DownloadManager: Finished downloading {log_url}")
                         if fd:
                             fd.close()
                             fd = None
@@ -252,7 +299,12 @@ async def _download_url_async(cls, url, outfile=None, total_size=None,
                             return b''.join(chunks)
         
         except Exception as e:
-            print(f"DownloadManager: Exception during download: {e}")
+            # Exception strings from aiohttp often embed the full URL &mdash;
+            # scrub it before printing when the caller asked for redaction.
+            err_str = str(e)
+            if redact_url and url in err_str:
+                err_str = err_str.replace(url, log_url)
+            print(f"DownloadManager: Exception during download: {err_str}")
             if fd:
                 fd.close()
             raise  # Re-raise the exception instead of suppressing it
diff --git a/internal_filesystem/lib/mpos/testing/mocks.py b/internal_filesystem/lib/mpos/testing/mocks.py
@@ -747,19 +747,21 @@ def __init__(self):
     
     async def download_url(self, url, outfile=None, total_size=None,
                           progress_callback=None, chunk_callback=None, headers=None,
-                          speed_callback=None):
+                          speed_callback=None, redact_url=False):
         """Mock async download with flexible output modes."""
         self.url_received = url
         self.headers_received = headers
-        
+        self.redact_url_received = redact_url
+
         self.call_history.append({
             'url': url,
             'outfile': outfile,
             'total_size': total_size,
             'headers': headers,
             'has_progress_callback': progress_callback is not None,
             'has_chunk_callback': chunk_callback is not None,
-            'has_speed_callback': speed_callback is not None
+            'has_speed_callback': speed_callback is not None,
+            'redact_url': redact_url,
         })
         
         if self.should_fail:
diff --git a/tests/test_download_manager.py b/tests/test_download_manager.py
@@ -547,3 +547,73 @@ async def track_progress(percent):
         # Verify progress values are in valid range
         for pct in progress_calls:
             self.assertTrue(0 <= pct <= 100)
+
+
+class TestSafeUrl(unittest.TestCase):
+    """Unit tests for the `_safe_url` helper used by `redact_url=True`."""
+
+    def test_https_with_path_and_query(self):
+        u = "https://btc1.trezor.io/api/v2/xpub/zpub6q...secret...stuff?details=txs&tokens=derived"
+        self.assertEqual(DownloadManager._safe_url(u), "https://btc1.trezor.io/...REDACTED...")
+
+    def test_http_with_port_and_path(self):
+        u = "http://api.example.com:8080/path/secret?key=abc"
+        self.assertEqual(DownloadManager._safe_url(u), "http://api.example.com:8080/...REDACTED...")
+
+    def test_naked_host_no_path_returned_unchanged(self):
+        # Nothing sensitive after the host &mdash; nothing to strip.
+        u = "https://example.com"
+        self.assertEqual(DownloadManager._safe_url(u), "https://example.com")
+
+    def test_trailing_slash_only(self):
+        # `https://example.com/` has an empty path; safe to redact as the
+        # function still finds a `/` after the scheme.
+        u = "https://example.com/"
+        self.assertEqual(DownloadManager._safe_url(u), "https://example.com/...REDACTED...")
+
+    def test_malformed_url_returns_generic_placeholder(self):
+        # Anything without `://` is treated as untrusted &mdash; replace whole.
+        self.assertEqual(DownloadManager._safe_url("not-a-url-at-all"), "...REDACTED...")
+
+    def test_secret_substrings_never_appear_in_redacted_output(self):
+        # Belt-and-braces check: the secret-bearing parts of the input
+        # must not appear in the redacted output. Catches future regressions
+        # where the redaction logic might accidentally keep a substring.
+        u = "https://idx.example.com/wallet/SECRETxpubABCDEFG?key=TOKEN_VALUE"
+        safe = DownloadManager._safe_url(u)
+        # MicroPython's unittest port has assertIn but not assertNotIn &mdash; use
+        # assertFalse(... in ...) for the negative case.
+        self.assertFalse("SECRETxpub" in safe)
+        self.assertFalse("TOKEN_VALUE" in safe)
+        self.assertIn("https://idx.example.com", safe)  # host kept on purpose
+
+
+class TestRedactUrlKwarg(unittest.TestCase):
+    """Verify the redact_url kwarg flows through the call surface (sync wrapper
+    + async impl + mock) without changing default behaviour."""
+
+    def test_mock_records_redact_url_default_false(self):
+        import asyncio
+        mock = MockDownloadManager()
+        # Configure a stub payload so download_url returns deterministic data
+        mock.download_data = b"x"
+
+        async def go():
+            await mock.download_url("https://example.com/path")
+        asyncio.run(go())
+
+        # Default: redact_url not requested.
+        self.assertEqual(mock.call_history[-1]['redact_url'], False)
+        self.assertEqual(mock.redact_url_received, False)
+
+    def test_mock_records_redact_url_true_when_passed(self):
+        import asyncio
+        mock = MockDownloadManager()
+        mock.download_data = b"x"
+
+        async def go():
+            await mock.download_url("https://example.com/path", redact_url=True)
+        asyncio.run(go())
+
+        self.assertEqual(mock.call_history[-1]['redact_url'], True)
+        self.assertEqual(mock.redact_url_received, True)
