fix: prevent false positive secret replacement for Golang projects (#1562)

nickshine · web-flow · commit eed1d3c8cbab · 2020-05-24T11:53:00.000-07:00
diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
@@ -2,9 +2,14 @@ const {escapeRegExp, size, isString} = require('lodash');
 const {SECRET_REPLACEMENT, SECRET_MIN_SIZE} = require('./definitions/constants');
 
 module.exports = (env) => {
-  const toReplace = Object.keys(env).filter(
-    (envVar) => /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE
-  );
+  const toReplace = Object.keys(env).filter((envVar) => {
+    // https://github.com/semantic-release/semantic-release/issues/1558
+    if (envVar === 'GOPRIVATE') {
+      return false;
+    }
+
+    return /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE;
+  });
 
   const regexp = new RegExp(toReplace.map((envVar) => escapeRegExp(env[envVar])).join('|'), 'g');
   return (output) =>
diff --git a/test/hide-sensitive.test.js b/test/hide-sensitive.test.js
@@ -19,6 +19,11 @@ test('Replace multiple occurences of sensitive environment variable values', (t)
   );
 });
 
+test('Replace sensitive environment variable matching specific regex for "private"', (t) => {
+  const env = {privateKey: 'secret', GOPRIVATE: 'host.com'};
+  t.is(hideSensitive(env)(`https://host.com?token=${env.privateKey}`), `https://host.com?token=${SECRET_REPLACEMENT}`);
+});
+
 test('Escape regexp special characters', (t) => {
   const env = {SOME_CREDENTIALS: 'p$^{.+}\\w[a-z]o.*rd'};
   t.is(
@@ -47,6 +52,11 @@ test('Exclude empty environment variables from the regexp if there is only empty
   t.is(hideSensitive({SOME_PASSWORD: '', SOME_TOKEN: ' \n '})(`https://host.com?token=`), 'https://host.com?token=');
 });
 
+test('Exclude nonsensitive GOPRIVATE environment variable for Golang projects from the regexp', (t) => {
+  const env = {GOPRIVATE: 'host.com'};
+  t.is(hideSensitive(env)(`https://host.com?token=`), 'https://host.com?token=');
+});
+
 test('Exclude environment variables with value shorter than SECRET_MIN_SIZE from the regexp', (t) => {
   const SHORT_TOKEN = repeat('a', SECRET_MIN_SIZE - 1);
   const LONG_TOKEN = repeat('b', SECRET_MIN_SIZE);
