From 4577390130b351e56dd0d031ef3a7effd04d82cc Mon Sep 17 00:00:00 2001
From: Hugo Aboud <hugoaboud@gmail.com>
Date: Tue, 19 Aug 2025 16:16:01 -0300
Subject: [PATCH] Sanitize credentials on websocket error messages

---
 internal/api/ws/ws.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/api/ws/ws.go b/internal/api/ws/ws.go
index 1d945bfe..5a7d34be 100644
--- a/internal/api/ws/ws.go
+++ b/internal/api/ws/ws.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"sync"
 	"time"
+	"regexp"
 
 	"github.com/AlexxIT/go2rtc/internal/api"
 	"github.com/AlexxIT/go2rtc/internal/app"
@@ -132,7 +133,11 @@ func apiWS(w http.ResponseWriter, r *http.Request) {
 		if handler := wsHandlers[msg.Type]; handler != nil {
 			go func() {
 				if err = handler(tr, msg); err != nil {
-					tr.Write(&Message{Type: "error", Value: msg.Type + ": " + err.Error()})
+					// Some streams such as ffmpeg might return credentials on error messages
+					errMsg := err.Error()
+					sanitizer := regexp.MustCompile(`(\w+)://(.*)@`)
+					errMsg = sanitizer.ReplaceAllString(errMsg, "$1://******@")
+					tr.Write(&Message{Type: "error", Value: msg.Type + ": " + errMsg})
 				}
 			}()
 		}