strip user without password (#13)

main.go

@@ -96,6 +96,11 @@ func Scrub(argument string) string {
 	u, err := url.ParseRequestURI(argument)
 	if err == nil && u.Host != "" && contains(allowedSchemes, u.Scheme) {
 		u.Scheme = "https"
+		// Clear the user if there is no password, since the URL is usually ssh://[email protected].
+		// The username is required to tell the server you're doing Git operations, but not needed for HTTPS.
+		if _, isSet := u.User.Password(); !isSet {
+			u.User = nil
+		}
 		return u.String()
 	}
 	if scpUrl.MatchString(argument) {
@@ -109,7 +114,12 @@ func Scrub(argument string) string {
 			// host changed, possible attack
 			return argument
 		}
-		return newUrl
+		// Clear the user if there is no password, since the URL is usually [email protected].
+		// The username is required to tell the server you're doing Git operations, but not needed for HTTPS.
+		if _, isSet := u.User.Password(); !isSet {
+			u.User = nil
+		}
+		return u.String()
 	}
 	return argument
 }

main_test.go

@@ -49,11 +49,15 @@ func TestScrub(t *testing.T) {
 		},
 		{
 			input:    "[email protected]:dependabot/git-https-shim",
-			expected: "https://[email protected]/dependabot/git-https-shim",
+			expected: "https://github.com/dependabot/git-https-shim",
+		},
+		{
+			input:    "ssh://user:[email protected]/dependabot/git-https-shim",
+			expected: "https://user:[email protected]/dependabot/git-https-shim",
 		},
 		{
 			input:    "ssh://[email protected]/dependabot/git-https-shim",
-			expected: "https://git@github.com/dependabot/git-https-shim",
+			expected: "https://github.com/dependabot/git-https-shim",
 		},
 		{
 			input:    "ssh://github.com/dependabot/git-https-shim",