fix: mask secrets when characters get uri encoded

semantic-release · Nov 16, 2020 · ca90b34 · ca90b34
1 parent 63fa143
commit ca90b34
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
@@ -11,7 +11,12 @@ module.exports = (env) => {
     return /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE;
   });
 
-  const regexp = new RegExp(toReplace.map((envVar) => escapeRegExp(env[envVar])).join('|'), 'g');
+  const regexp = new RegExp(
+    toReplace
+      .map((envVar) => `${escapeRegExp(env[envVar])}|${encodeURI(escapeRegExp(env[envVar]))}`)
+      .join('|'),
+    'g'
+  );
   return (output) =>
     output && isString(output) && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output;
 };
diff --git a/test/hide-sensitive.test.js b/test/hide-sensitive.test.js
@@ -24,6 +24,14 @@ test('Replace sensitive environment variable matching specific regex for "privat
   t.is(hideSensitive(env)(`https://host.com?token=${env.privateKey}`), `https://host.com?token=${SECRET_REPLACEMENT}`);
 });
 
+test('Replace url-encoded environment variable', (t) => {
+  const env = {privateKey: 'secret '};
+  t.is(
+    hideSensitive(env)(`https://host.com?token=${encodeURI(env.privateKey)}`),
+    `https://host.com?token=${SECRET_REPLACEMENT}`
+  );
+});
+
 test('Escape regexp special characters', (t) => {
   const env = {SOME_CREDENTIALS: 'p$^{.+}\\w[a-z]o.*rd'};
   t.is(