client logs query parameters, which can leak secrets

[chazdnato]

There are several places where url.URL is used in a log or error, for example:

via logs:

go-retryablehttp/client.go

Line 597 in 571a88b

v.Debug("performing request", "method", req.Method, "url", req.URL)

via returned error:

go-retryablehttp/client.go

Line 751 in 571a88b

return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",

While the former can be mitigated by setting a nil logger on client instantiation, users of the client have to deal with potential query param / data leaks through errors.

We would like to see either a removal of query params entirely, or an option to disable full query param reporting. We could replace instances of url.URL with a few options:

# Option 1, build URL w/o query params
cleanURL := url.Scheme + "://" + url.Host + url.Path

# Option 2, truncate query params
cleanURL := strings.Split(url.URL, "?")[0]

[thapabishwa]

+1