Follow-up to PR D-3 security review (merge 325a895).
D-3 added `validate_fragment_urls` to `crates/rdlp-api/src/orchestrator/download.rs`, which rejects plugin-supplied per-fragment URLs that fail SSRF validation. On rejection, the URL is embedded in `RdlpError::Network.url` for diagnostics.
Reviewer noted: `rdlp_security::sanitize_for_logging` already exists and is applied to other URL surfaces (proxy URLs, generic Network errors). Fragment URLs are not credential-bearing by current design, so the gap is not exploitable today. But if future work adds credentialed fragment URLs (signed CDN URLs with embedded tokens, S3 presigned URLs as fragment sources), the rejection error message would leak the credential into log output.
Scope
- Apply `sanitize_for_logging` to the offending URL before embedding into `RdlpError::Network { url: ... }` in `validate_fragment_url_one`.
- Audit other recent rejection sites in the orchestrator for the same pattern.
- Verify the sanitizer correctly redacts query parameters that look like tokens (`?token=`, `?sig=`, `?X-Amz-Signature=`, etc.).
Acceptance criteria
Follow-up to PR D-3 security review (merge 325a895).
D-3 added `validate_fragment_urls` to `crates/rdlp-api/src/orchestrator/download.rs`, which rejects plugin-supplied per-fragment URLs that fail SSRF validation. On rejection, the URL is embedded in `RdlpError::Network.url` for diagnostics.
Reviewer noted: `rdlp_security::sanitize_for_logging` already exists and is applied to other URL surfaces (proxy URLs, generic Network errors). Fragment URLs are not credential-bearing by current design, so the gap is not exploitable today. But if future work adds credentialed fragment URLs (signed CDN URLs with embedded tokens, S3 presigned URLs as fragment sources), the rejection error message would leak the credential into log output.
Scope
Acceptance criteria