GitLab Project Import by URL Discloses Basic Auth Credentials via E-Mail

When importing a new project by URL into GitLab (from, for example, GitHub.com), a user can specify basic authentication details. For example: "https://username:personal_access_token@github.com/project".

When the importation is completed, this URL (including the username and password) will be used as a part of the email which is sent back to the user performing the import. This stores an authentication token in the user's email (or discloses it to a group of persons if the email associated with the account performing the input is a service account or a mailing list/group).

GitLab should sanitize authentication details before returning the URL to the user within the email to prevent authentication materials from being disclosed.