semantic-release · gr2m · Nov 19, 2020 · Nov 18, 2020
diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
@@ -12,7 +12,7 @@ module.exports = (env) => {
   });
 
   const regexp = new RegExp(
-    toReplace.map((envVar) => `${escapeRegExp(env[envVar])}|${encodeURI(escapeRegExp(env[envVar]))}`).join('|'),
+    toReplace.map((envVar) => `${escapeRegExp(env[envVar])}|${escapeRegExp(encodeURI(env[envVar]))}`).join('|'),
     'g'
   );
   return (output) =>

diff --git a/test/hide-sensitive.test.js b/test/hide-sensitive.test.js
@@ -40,6 +40,14 @@ test('Escape regexp special characters', (t) => {
   );
 });
 
+test('Escape regexp special characters in url-encoded environment variable', (t) => {
+  const env = {SOME_PASSWORD: 'secret password p$^{.+}\\w[a-z]o.*rd)('};
+  t.is(
+    hideSensitive(env)(`https://user:${encodeURI(env.SOME_PASSWORD)}@host.com`),
+    `https://user:${SECRET_REPLACEMENT}@host.com`
+  );
+});
+
 test('Accept "undefined" input', (t) => {
   t.is(hideSensitive({})(), undefined);
 });