renovatebot · rarkins · Mar 13, 2022 · Mar 13, 2022
diff --git a/lib/modules/platform/azure/util.ts b/lib/modules/platform/azure/util.ts
@@ -142,7 +142,7 @@ export function getStorageExtraCloneOpts(config: HostRule): GitOptions {
     authType = 'bearer';
     authValue = config.token;
   }
-  addSecretForSanitizing(authValue);
+  addSecretForSanitizing(authValue, 'global');
   return {
     '-c': `http.extraheader=AUTHORIZATION: ${authType} ${authValue}`,
   };

diff --git a/lib/util/sanitize.spec.ts b/lib/util/sanitize.spec.ts
@@ -19,7 +19,7 @@ describe('util/sanitize', () => {
     const token = '123testtoken';
     const username = 'userabc';
     const password = 'password123';
-    addSecretForSanitizing(token);
+    addSecretForSanitizing(token, 'global');
     const hashed = toBase64(`${username}:${password}`);
     addSecretForSanitizing(hashed);
     addSecretForSanitizing(password);

diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts
@@ -1,7 +1,8 @@
 import is from '@sindresorhus/is';
 import { toBase64 } from './string';
 
-const secrets = new Set<string>();
+const globalSecrets = new Set<string>();
+const repoSecrets = new Set<string>();
 
 export const redactedFields = [
   'authorization',
@@ -21,20 +22,23 @@ export function sanitize(input: string): string {
     return input;
   }
   let output: string = input;
-  secrets.forEach((secret) => {
-    while (output.includes(secret)) {
-      output = output.replace(secret, '**redacted**');
-    }
+  [globalSecrets, repoSecrets].forEach((secrets) => {
+    secrets.forEach((secret) => {
+      while (output.includes(secret)) {
+        output = output.replace(secret, '**redacted**');
+      }
+    });
   });
   return output;
 }
 
 const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
 
-export function addSecretForSanitizing(secret: string): void {
+export function addSecretForSanitizing(secret: string, type = 'repo'): void {
   if (!is.nonEmptyString(secret)) {
     return;
   }
+  const secrets = type === 'repo' ? repoSecrets : globalSecrets;
   secrets.add(secret);
   secrets.add(toBase64(secret));
   if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
@@ -44,6 +48,7 @@ export function addSecretForSanitizing(secret: string): void {
   }
 }
 
-export function clearSanitizedSecretsList(): void {
+export function clearSanitizedSecretsList(type = 'repo'): void {
+  const secrets = type === 'repo' ? repoSecrets : globalSecrets;
   secrets.clear();
 }