From 69c9c98cd6a56c3d2f09efd65edffe4027a99010 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Mon, 28 Feb 2022 18:07:09 +0100
Subject: [PATCH] fix: sanitize base64 of all secrets (#14423)
---
lib/util/sanitize.spec.ts | 7 +++++++
lib/util/sanitize.ts | 15 ++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/lib/util/sanitize.spec.ts b/lib/util/sanitize.spec.ts
index fb8c16e9f3..c38c9e3574 100644
--- a/lib/util/sanitize.spec.ts
+++ b/lib/util/sanitize.spec.ts
@@ -11,6 +11,7 @@ describe('util/sanitize', () => {
});
it('sanitizes empty string', () => {
+ addSecretForSanitizing('');
expect(sanitize(null as never)).toBeNull();
expect(sanitize('')).toBe('');
});
@@ -32,4 +33,10 @@ describe('util/sanitize', () => {
const outputX2 = [output, output].join('\n');
expect(sanitize(inputX2)).toBe(outputX2);
});
+ it('sanitizes github app tokens', () => {
+ addSecretForSanitizing('x-access-token:abc123');
+ expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe(
+ 'hello **redacted** world'
+ );
+ });
});
diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts
index 2ea926b1d7..2d830e2d72 100644
--- a/lib/util/sanitize.ts
+++ b/lib/util/sanitize.ts
@@ -1,3 +1,6 @@
+import is from '@sindresorhus/is';
+import { toBase64 } from './string';
+
const secrets = new Set<string>();
export const redactedFields = [
@@ -26,9 +29,19 @@ export function sanitize(input: string): string {
return output;
}
+const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
+
export function addSecretForSanitizing(secret: string): void {
+ if (!is.nonEmptyString(secret)) {
+ return;
+ }
secrets.add(secret);
- secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens
+ secrets.add(toBase64(secret));
+ if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
+ const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, '');
+ secrets.add(trimmedSecret);
+ secrets.add(toBase64(trimmedSecret));
+ }
}
export function clearSanitizedSecretsList(): void {
--
GitLab