enhance(log): improve secret masking to better handle URL strings (#303)

go-vela · Aug 16, 2023 · 670dcf4 · 670dcf4
1 parent 1e3aae6
commit 670dcf4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/library/log.go b/library/log.go
@@ -56,7 +56,8 @@ func (l *Log) MaskData(secrets []string) {
 		// create regexp to match secrets in the log data surrounded by regexp metacharacters
 		//
 		// https://pkg.go.dev/regexp#MustCompile
-		re := regexp.MustCompile((`(\s|^|=|"|:|'|\.|,)` + escaped + `(\s|$|"|:|'|\.|,)`))
+		buffer := `(\s|^|=|"|\?|:|'|\.|,|&|$|;)`
+		re := regexp.MustCompile((buffer + escaped + buffer))
 
 		// create a mask for the secret
 		mask := fmt.Sprintf("$1%s$2", constants.SecretLogMask)

diff --git a/library/log_test.go b/library/log_test.go
@@ -54,6 +54,8 @@ func TestLibrary_Log_MaskData(t *testing.T) {
 	s3Masked := "$ echo $SECRET1\n***\n$ echo $SECRET2\n***\n"
 	s4 := "SOME_SECRET=((%.YY245***pP.><@@}}"
 	s4Masked := "SOME_SECRET=***"
+	s5 := "www.example.com?username=secret&password=extrasecret"
+	s5Masked := "www.example.com?username=***&password=***"
 
 	tests := []struct {
 		want    []byte
@@ -80,6 +82,11 @@ func TestLibrary_Log_MaskData(t *testing.T) {
 			log:     []byte(s4),
 			secrets: sVals,
 		},
+		{ // secret baked in URL query params
+			want:    []byte(s5Masked),
+			log:     []byte(s5),
+			secrets: sVals,
+		},
 		{ // empty secrets slice
 			want:    []byte(s3),
 			log:     []byte(s3),