Redact URL from "net/http" error message

- Fix LookupIP redaction

- Use common stub string value

psiphon/LookupIP.go

@@ -70,15 +70,16 @@ func LookupIP(ctx context.Context, host string, config *DialConfig) ([]net.IP, e
 	}
 
 	addrs, err := net.DefaultResolver.LookupIPAddr(ctx, host)
-	if err != nil {
-		return nil, common.ContextError(err)
-	}
 
 	// Remove domain names from "net" error messages.
-	if !GetEmitNetworkParameters() {
+	if err != nil && !GetEmitNetworkParameters() {
 		err = RedactNetError(err)
 	}
 
+	if err != nil {
+		return nil, common.ContextError(err)
+	}
+
 	ips := make([]net.IP, len(addrs))
 	for i, addr := range addrs {
 		ips[i] = addr.IP

psiphon/LookupIP_nobind.go

@@ -37,15 +37,16 @@ func LookupIP(ctx context.Context, host string, config *DialConfig) ([]net.IP, e
 	}
 
 	addrs, err := net.DefaultResolver.LookupIPAddr(ctx, host)
-	if err != nil {
-		return nil, common.ContextError(err)
-	}
 
 	// Remove domain names from "net" error messages.
-	if !GetEmitNetworkParameters() {
+	if err != nil && !GetEmitNetworkParameters() {
 		err = RedactNetError(err)
 	}
 
+	if err != nil {
+		return nil, common.ContextError(err)
+	}
+
 	ips := make([]net.IP, len(addrs))
 	for i, addr := range addrs {
 		ips[i] = addr.IP

psiphon/TCPConn_nobind.go

@@ -41,7 +41,7 @@ func tcpDial(ctx context.Context, addr string, config *DialConfig) (net.Conn, er
 	conn, err := dialer.DialContext(ctx, "tcp", addr)
 
 	// Remove domain names from "net" error messages.
-	if !GetEmitNetworkParameters() {
+	if err != nil && !GetEmitNetworkParameters() {
 		err = RedactNetError(err)
 	}
 

psiphon/config.go

@@ -1272,7 +1272,7 @@ func (n *loggingNetworkIDGetter) GetNetworkID() string {
 	}
 	if len(logNetworkID)+1 < len(networkID) {
 		// Indicate when additional network info was present after the first "-".
-		logNetworkID += "+<network info>"
+		logNetworkID += "+[redacted]"
 	}
 	NoticeNetworkID(logNetworkID)
 

psiphon/net.go

@@ -30,6 +30,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -530,6 +531,13 @@ func ResumeDownload(
 		err = fmt.Errorf("unexpected response status code: %d", response.StatusCode)
 	}
 	if err != nil {
+
+		// Redact URL from "net/http" error message.
+		if !GetEmitNetworkParameters() {
+			errStr := err.Error()
+			err = errors.New(strings.ReplaceAll(errStr, downloadURL, "[redacted]"))
+		}
+
 		return 0, "", common.ContextError(err)
 	}
 	defer response.Body.Close()

psiphon/notice.go

@@ -727,7 +727,7 @@ func NoticeExiting() {
 // NoticeRemoteServerListResourceDownloadedBytes reports remote server list download progress.
 func NoticeRemoteServerListResourceDownloadedBytes(url string, bytes int64) {
 	if !GetEmitNetworkParameters() {
-		url = "<url>"
+		url = "[redacted]"
 	}
 	singletonNoticeLogger.outputNotice(
 		"RemoteServerListResourceDownloadedBytes", noticeIsDiagnostic,
@@ -739,7 +739,7 @@ func NoticeRemoteServerListResourceDownloadedBytes(url string, bytes int64) {
 // completed successfully.
 func NoticeRemoteServerListResourceDownloaded(url string) {
 	if !GetEmitNetworkParameters() {
-		url = "<url>"
+		url = "[redacted]"
 	}
 	singletonNoticeLogger.outputNotice(
 		"RemoteServerListResourceDownloaded", noticeIsDiagnostic,

psiphon/utils.go

@@ -117,7 +117,7 @@ var stripIPv4AddressRegex = regexp.MustCompile(
 	`(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(:(6553[0-5]|655[0-2][0-9]\d|65[0-4](\d){2}|6[0-4](\d){3}|[1-5](\d){4}|[1-9](\d){0,3}))?`)
 
 // StripIPAddresses returns a copy of the input with all IP addresses [and
-// optional ports] replaced  by "<address>". This is intended to be used to
+// optional ports] replaced  by "[address]". This is intended to be used to
 // strip addresses from "net" package I/O error messages and otherwise avoid
 // inadvertently recording direct server IPs via error message logs; and, in
 // metrics, to reduce the error space due to superfluous source port data.
@@ -125,13 +125,13 @@ var stripIPv4AddressRegex = regexp.MustCompile(
 // Limitation: only strips IPv4 addresses.
 func StripIPAddresses(b []byte) []byte {
 	// TODO: IPv6 support
-	return stripIPv4AddressRegex.ReplaceAll(b, []byte("<address>"))
+	return stripIPv4AddressRegex.ReplaceAll(b, []byte("[redacted]"))
 }
 
 // StripIPAddressesString is StripIPAddresses for strings.
 func StripIPAddressesString(s string) string {
 	// TODO: IPv6 support
-	return stripIPv4AddressRegex.ReplaceAllString(s, "<address>")
+	return stripIPv4AddressRegex.ReplaceAllString(s, "[redacted]")
 }
 
 // RedactNetError removes network address information from a "net" package
@@ -155,12 +155,12 @@ func RedactNetError(err error) error {
 	}
 
 	errstr := err.Error()
-	index := strings.Index(errstr, ":")
+	index := strings.Index(errstr, ": ")
 	if index == -1 {
 		return err
 	}
 
-	return errors.New(errstr[index:])
+	return errors.New("[redacted]" + errstr[index:])
 }
 
 // SyncFileWriter wraps a file and exposes an io.Writer. At predefined