Fix a bug with masking of secrets containing other secrets as substri…

…ngs.

src/main/java/org/jenkinsci/plugins/credentialsbinding/MultiBinding.java

@@ -38,9 +38,12 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
@@ -143,6 +146,13 @@ protected static final class NullUnbinder implements Unbinder {
         return (BindingDescriptor<C>) super.getDescriptor();
     }
 
+    private static final Comparator<String> stringLengthComparator = new Comparator<String>() {
+        @Override
+        public int compare(String o1, String o2) {
+            return o2.length() - o1.length();
+        }
+    };
+
     /**
      * Utility method for turning a collection of secret strings into a single {@link String} for pattern compilation.
      * @param secrets A collection of secret strings
@@ -151,7 +161,10 @@ protected static final class NullUnbinder implements Unbinder {
     @Restricted(NoExternalUse.class)
     public static String getPatternStringForSecrets(Collection<String> secrets) {
         StringBuilder b = new StringBuilder();
-        for (String secret : secrets) {
+        List<String> sortedByLength = new ArrayList<String>(secrets);
+        Collections.sort(sortedByLength, stringLengthComparator);
+
+        for (String secret : sortedByLength) {
             if (b.length() > 0) {
                 b.append('|');
             }

src/test/java/org/jenkinsci/plugins/credentialsbinding/impl/SecretBuildWrapperTest.java

@@ -40,6 +40,7 @@
 import org.jvnet.hudson.test.JenkinsRule;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 
 public class SecretBuildWrapperTest {
@@ -54,18 +55,27 @@ public class SecretBuildWrapperTest {
 
         CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), firstCreds);
 
-        SecretBuildWrapper wrapper = new SecretBuildWrapper(Collections.singletonList(new StringBinding("PASS_1", firstCredentialsId)));
+        String secondCredentialsId = "creds_2";
+        String secondPassword = "p4ss" + "someMoreStuff";
+        StringCredentialsImpl secondCreds = new StringCredentialsImpl(CredentialsScope.GLOBAL, secondCredentialsId, "sample2", Secret.fromString(secondPassword));
+
+        CredentialsProvider.lookupStores(r.jenkins).iterator().next().addCredentials(Domain.global(), secondCreds);
+
+        SecretBuildWrapper wrapper = new SecretBuildWrapper(Arrays.asList(new StringBinding("PASS_1", firstCredentialsId),
+                new StringBinding("PASS_2", secondCredentialsId)));
 
         FreeStyleProject f = r.createFreeStyleProject();
 
         f.setConcurrentBuild(true);
         f.getBuildersList().add(new Shell("echo $PASS_1"));
+        f.getBuildersList().add(new Shell("echo $PASS_2"));
         f.getBuildWrappersList().add(wrapper);
 
         r.configRoundtrip((Item)f);
 
         FreeStyleBuild b = r.buildAndAssertSuccess(f);
         r.assertLogNotContains(firstPassword, b);
+        r.assertLogNotContains(secondPassword, b);
         r.assertLogContains("echo ****", b);
     }