lib,test: redact proxy credentials in tunnel errors

Refs: https://hackerone.com/reports/3720313
Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs-private/node-private#867
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
CVE-ID: CVE-2026-48615

Author: mcollina

lib/internal/http.js

@@ -99,7 +99,7 @@ function ipToInt(ip) {
 /**
  * Represents the proxy configuration for an agent. The built-in http and https agent
  * implementation have one of this when they are configured to use a proxy.
- * @property {string} href - Full URL of the proxy server.
+ * @property {string} href - Proxy server URL with credentials redacted.
  * @property {string} protocol - Proxy protocol used to talk to the proxy server.
  * @property {string|undefined} auth - proxy-authorization header value, if username or password is provided.
  * @property {Array<string>} bypassList - List of hosts to bypass the proxy.
@@ -115,7 +115,13 @@ class ProxyConfig {
     }
     const { hostname, port, protocol, username, password } = parsedURL;
 
-    this.href = proxyUrl;
+    if (username || password) {
+      parsedURL.username = '';
+      parsedURL.password = '';
+      this.href = parsedURL.href;
+    } else {
+      this.href = proxyUrl;
+    }
     this.protocol = protocol;
 
     if (username || password) {

test/client-proxy/test-https-proxy-request-auth-failure.mjs

@@ -53,6 +53,9 @@ const { code, signal, stderr } = await runProxiedRequest({
 // The proxy client should get an error from proxy authentication failure.
 // Since the process exits cleanly but with an error, check for any error output
 assert.match(stderr, /407 Proxy Authentication Required/);
+assert.match(stderr, /via http:\/\/localhost:\d+\/?/);
+assert.doesNotMatch(stderr, /baduser/);
+assert.doesNotMatch(stderr, /badpass/);
 assert.strictEqual(code, 0);
 assert.strictEqual(signal, null);