Skip to content
Permalink
Browse files
fix: mask secrets when characters get uri encoded
  • Loading branch information
travi committed Nov 16, 2020
1 parent 63fa143 commit ca90b34c4a9333438cc4d69faeb43362bb991e5a
Showing with 14 additions and 1 deletion.
  1. +6 −1 lib/hide-sensitive.js
  2. +8 −0 test/hide-sensitive.test.js
@@ -11,7 +11,12 @@ module.exports = (env) => {
return /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE;
});

const regexp = new RegExp(toReplace.map((envVar) => escapeRegExp(env[envVar])).join('|'), 'g');
const regexp = new RegExp(
toReplace
.map((envVar) => `${escapeRegExp(env[envVar])}|${encodeURI(escapeRegExp(env[envVar]))}`)
.join('|'),
'g'
);
return (output) =>
output && isString(output) && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output;
};
@@ -24,6 +24,14 @@ test('Replace sensitive environment variable matching specific regex for "privat
t.is(hideSensitive(env)(`https://host.com?token=${env.privateKey}`), `https://host.com?token=${SECRET_REPLACEMENT}`);
});

test('Replace url-encoded environment variable', (t) => {
const env = {privateKey: 'secret '};
t.is(
hideSensitive(env)(`https://host.com?token=${encodeURI(env.privateKey)}`),
`https://host.com?token=${SECRET_REPLACEMENT}`
);
});

test('Escape regexp special characters', (t) => {
const env = {SOME_CREDENTIALS: 'p$^{.+}\\w[a-z]o.*rd'};
t.is(

0 comments on commit ca90b34

Please sign in to comment.