From 90e5182bd434974ea4bfa85d04d21e46ff8cd82b Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Sun, 13 Mar 2022 11:27:21 +0100
Subject: [PATCH] refactor: split global/repo sanitizations (#14635)

---
 lib/modules/platform/azure/util.ts |  2 +-
 lib/util/sanitize.spec.ts          |  2 +-
 lib/util/sanitize.ts               | 19 ++++++++++++-------
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/lib/modules/platform/azure/util.ts b/lib/modules/platform/azure/util.ts
index 617b1e5a76..d71238b423 100644
--- a/lib/modules/platform/azure/util.ts
+++ b/lib/modules/platform/azure/util.ts
@@ -142,7 +142,7 @@ export function getStorageExtraCloneOpts(config: HostRule): GitOptions {
     authType = 'bearer';
     authValue = config.token;
   }
-  addSecretForSanitizing(authValue);
+  addSecretForSanitizing(authValue, 'global');
   return {
     '-c': `http.extraheader=AUTHORIZATION: ${authType} ${authValue}`,
   };
diff --git a/lib/util/sanitize.spec.ts b/lib/util/sanitize.spec.ts
index c38c9e3574..3968698227 100644
--- a/lib/util/sanitize.spec.ts
+++ b/lib/util/sanitize.spec.ts
@@ -19,7 +19,7 @@ describe('util/sanitize', () => {
     const token = '123testtoken';
     const username = 'userabc';
     const password = 'password123';
-    addSecretForSanitizing(token);
+    addSecretForSanitizing(token, 'global');
     const hashed = toBase64(`${username}:${password}`);
     addSecretForSanitizing(hashed);
     addSecretForSanitizing(password);
diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts
index 2d830e2d72..724bc095bc 100644
--- a/lib/util/sanitize.ts
+++ b/lib/util/sanitize.ts
@@ -1,7 +1,8 @@
 import is from '@sindresorhus/is';
 import { toBase64 } from './string';
 
-const secrets = new Set<string>();
+const globalSecrets = new Set<string>();
+const repoSecrets = new Set<string>();
 
 export const redactedFields = [
   'authorization',
@@ -21,20 +22,23 @@ export function sanitize(input: string): string {
     return input;
   }
   let output: string = input;
-  secrets.forEach((secret) => {
-    while (output.includes(secret)) {
-      output = output.replace(secret, '**redacted**');
-    }
+  [globalSecrets, repoSecrets].forEach((secrets) => {
+    secrets.forEach((secret) => {
+      while (output.includes(secret)) {
+        output = output.replace(secret, '**redacted**');
+      }
+    });
   });
   return output;
 }
 
 const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
 
-export function addSecretForSanitizing(secret: string): void {
+export function addSecretForSanitizing(secret: string, type = 'repo'): void {
   if (!is.nonEmptyString(secret)) {
     return;
   }
+  const secrets = type === 'repo' ? repoSecrets : globalSecrets;
   secrets.add(secret);
   secrets.add(toBase64(secret));
   if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
@@ -44,6 +48,7 @@ export function addSecretForSanitizing(secret: string): void {
   }
 }
 
-export function clearSanitizedSecretsList(): void {
+export function clearSanitizedSecretsList(type = 'repo'): void {
+  const secrets = type === 'repo' ? repoSecrets : globalSecrets;
   secrets.clear();
 }
-- 
GitLab