From 50f1e29113b80586715f04eaca3f7b4bfec1b6b4 Mon Sep 17 00:00:00 2001
From: RahulGautamSingh <rahultesnik@gmail.com>
Date: Fri, 6 Sep 2024 09:44:13 +0530
Subject: [PATCH] feat: do not mask secrets templates (#31240)

---
 lib/logger/utils.spec.ts | 28 ++++++++++++++++++++++++++++
 lib/logger/utils.ts      |  8 +++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/lib/logger/utils.spec.ts b/lib/logger/utils.spec.ts
index 2073782a91..3d36dc577e 100644
--- a/lib/logger/utils.spec.ts
+++ b/lib/logger/utils.spec.ts
@@ -53,6 +53,34 @@ describe('logger/utils', () => {
     expect(sanitizeValue(input)).toBe(output);
   });
 
+  it('preserves secret template strings in redacted fields', () => {
+    const input = {
+      normal: 'value',
+      token: '{{ secrets.MY_SECRET }}',
+      password: '{{secrets.ANOTHER_SECRET}}',
+      content: '{{ secrets.CONTENT_SECRET }}',
+      npmToken: '{{ secrets.NPM_TOKEN }}',
+      forkToken: 'some-token',
+      nested: {
+        authorization: '{{ secrets.NESTED_SECRET }}',
+        password: 'some-password',
+      },
+    };
+    const expected = {
+      normal: 'value',
+      token: '{{ secrets.MY_SECRET }}',
+      password: '{{secrets.ANOTHER_SECRET}}',
+      content: '[content]',
+      npmToken: '{{ secrets.NPM_TOKEN }}',
+      forkToken: '***********',
+      nested: {
+        authorization: '{{ secrets.NESTED_SECRET }}',
+        password: '***********',
+      },
+    };
+    expect(sanitizeValue(input)).toEqual(expected);
+  });
+
   describe('prepareError', () => {
     function getError<T extends z.ZodType>(
       schema: T,
diff --git a/lib/logger/utils.ts b/lib/logger/utils.ts
index 35c07dc952..ac2f5ec5f2 100644
--- a/lib/logger/utils.ts
+++ b/lib/logger/utils.ts
@@ -4,6 +4,7 @@ import bunyan from 'bunyan';
 import fs from 'fs-extra';
 import { RequestError as HttpError } from 'got';
 import { ZodError } from 'zod';
+import { regEx } from '../util/regex';
 import { redactedFields, sanitize } from '../util/sanitize';
 import type { BunyanRecord, BunyanStream } from './types';
 
@@ -214,7 +215,12 @@ export function sanitizeValue(
       if (!val) {
         curValue = val;
       } else if (redactedFields.includes(key)) {
-        curValue = '***********';
+        // Do not mask/sanitize secrets templates
+        if (is.string(val) && regEx(/^{{\s*secrets\..*}}$/).test(val)) {
+          curValue = val;
+        } else {
+          curValue = '***********';
+        }
       } else if (contentFields.includes(key)) {
         curValue = '[content]';
       } else if (key === 'secrets') {
-- 
GitLab