From f8f8fbcac47aa3c8c0c9b5f3a8738957934cc86c Mon Sep 17 00:00:00 2001
From: Dmitriy Dekhanov <DmitriyDekhanov@gmail.com>
Date: Thu, 19 Nov 2020 22:55:09 +0300
Subject: [PATCH] fix: escape uri encoded symbols (#1697)

---
 lib/hide-sensitive.js       | 2 +-
 test/hide-sensitive.test.js | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
index 43b5603857..1768c5901b 100644
--- a/lib/hide-sensitive.js
+++ b/lib/hide-sensitive.js
@@ -12,7 +12,7 @@ module.exports = (env) => {
   });
 
   const regexp = new RegExp(
-    toReplace.map((envVar) => `${escapeRegExp(env[envVar])}|${encodeURI(escapeRegExp(env[envVar]))}`).join('|'),
+    toReplace.map((envVar) => `${escapeRegExp(env[envVar])}|${escapeRegExp(encodeURI(env[envVar]))}`).join('|'),
     'g'
   );
   return (output) =>
diff --git a/test/hide-sensitive.test.js b/test/hide-sensitive.test.js
index 4987d31634..14686839e2 100644
--- a/test/hide-sensitive.test.js
+++ b/test/hide-sensitive.test.js
@@ -40,6 +40,14 @@ test('Escape regexp special characters', (t) => {
   );
 });
 
+test('Escape regexp special characters in url-encoded environment variable', (t) => {
+  const env = {SOME_PASSWORD: 'secret password p$^{.+}\\w[a-z]o.*rd)('};
+  t.is(
+    hideSensitive(env)(`https://user:${encodeURI(env.SOME_PASSWORD)}@host.com`),
+    `https://user:${SECRET_REPLACEMENT}@host.com`
+  );
+});
+
 test('Accept "undefined" input', (t) => {
   t.is(hideSensitive({})(), undefined);
 });