fix: sanitize base64 of all secrets (#14423)

69c9c98c · Rhys Arkins · GitHub · 1151f08d · 69c9c98c · 69c9c98c
Unverified Commit 69c9c98c authored 3 years ago by Rhys Arkins Committed by GitHub 3 years ago
--- a/lib/util/sanitize.spec.ts
+++ b/lib/util/sanitize.spec.ts
@@ -11,6 +11,7 @@ describe('util/sanitize', () => {
  });
  it('sanitizes empty string', () => {
+    addSecretForSanitizing('');
    expect(sanitize(null as never)).toBeNull();
    expect(sanitize('')).toBe('');
  });
@@ -32,4 +33,10 @@ describe('util/sanitize', () => {
    const outputX2 = [output, output].join('\n');
    expect(sanitize(inputX2)).toBe(outputX2);
  });
+  it('sanitizes github app tokens', () => {
+    addSecretForSanitizing('x-access-token:abc123');
+    expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe(
+      'hello **redacted** world'
+    );
+  });
 });
--- a/lib/util/sanitize.ts
+++ b/lib/util/sanitize.ts
+import is from '@sindresorhus/is';
+import { toBase64 } from './string';
 const secrets = new Set<string>();
 export const redactedFields = [
@@ -26,9 +29,19 @@ export function sanitize(input: string): string {
  return output;
 }
+const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
 export function addSecretForSanitizing(secret: string): void {
+  if (!is.nonEmptyString(secret)) {
+    return;
+  }
  secrets.add(secret);
-  secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens
+  secrets.add(toBase64(secret));
+  if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
+    const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, '');
+    secrets.add(trimmedSecret);
+    secrets.add(toBase64(trimmedSecret));
+  }
 }
 export function clearSanitizedSecretsList(): void {