fix: prevent false positive secret replacement

Resolve #1558

lib/hide-sensitive.js

@@ -3,7 +3,8 @@ const {SECRET_REPLACEMENT, SECRET_MIN_SIZE} = require('./definitions/constants')
 
 module.exports = (env) => {
   const toReplace = Object.keys(env).filter(
-    (envVar) => /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE
+    (envVar) =>
+      /token|password|credential|secret|(?<!^go)private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE
   );
 
   const regexp = new RegExp(toReplace.map((envVar) => escapeRegExp(env[envVar])).join('|'), 'g');

test/hide-sensitive.test.js

@@ -19,6 +19,11 @@ test('Replace multiple occurences of sensitive environment variable values', (t)
   );
 });
 
+test('Replace sensitive environment variable matching specific regex for "private"', (t) => {
+  const env = {privateKey: 'secret', GOPRIVATE: 'host.com'};
+  t.is(hideSensitive(env)(`https://host.com?token=${env.privateKey}`), `https://host.com?token=${SECRET_REPLACEMENT}`);
+});
+
 test('Escape regexp special characters', (t) => {
   const env = {SOME_CREDENTIALS: 'p$^{.+}\\w[a-z]o.*rd'};
   t.is(
@@ -47,6 +52,11 @@ test('Exclude empty environment variables from the regexp if there is only empty
   t.is(hideSensitive({SOME_PASSWORD: '', SOME_TOKEN: ' \n '})(`https://host.com?token=`), 'https://host.com?token=');
 });
 
+test('Exclude nonsensitive GOPRIVATE environment variable for Golang projects from the regexp', (t) => {
+  const env = {GOPRIVATE: 'host.com'};
+  t.is(hideSensitive(env)(`https://host.com?token=`), 'https://host.com?token=');
+});
+
 test('Exclude environment variables with value shorter than SECRET_MIN_SIZE from the regexp', (t) => {
   const SHORT_TOKEN = repeat('a', SECRET_MIN_SIZE - 1);
   const LONG_TOKEN = repeat('b', SECRET_MIN_SIZE);