From 69c9c98cd6a56c3d2f09efd65edffe4027a99010 Mon Sep 17 00:00:00 2001 From: Rhys Arkins Date: Mon, 28 Feb 2022 18:07:09 +0100 Subject: [PATCH] fix: sanitize base64 of all secrets (#14423) --- lib/util/sanitize.spec.ts | 7 +++++++ lib/util/sanitize.ts | 15 ++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/util/sanitize.spec.ts b/lib/util/sanitize.spec.ts index fb8c16e9f3..c38c9e3574 100644 --- a/lib/util/sanitize.spec.ts +++ b/lib/util/sanitize.spec.ts @@ -11,6 +11,7 @@ describe('util/sanitize', () => { }); it('sanitizes empty string', () => { + addSecretForSanitizing(''); expect(sanitize(null as never)).toBeNull(); expect(sanitize('')).toBe(''); }); @@ -32,4 +33,10 @@ describe('util/sanitize', () => { const outputX2 = [output, output].join('\n'); expect(sanitize(inputX2)).toBe(outputX2); }); + it('sanitizes github app tokens', () => { + addSecretForSanitizing('x-access-token:abc123'); + expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe( + 'hello **redacted** world' + ); + }); }); diff --git a/lib/util/sanitize.ts b/lib/util/sanitize.ts index 2ea926b1d7..2d830e2d72 100644 --- a/lib/util/sanitize.ts +++ b/lib/util/sanitize.ts @@ -1,3 +1,6 @@ +import is from '@sindresorhus/is'; +import { toBase64 } from './string'; + const secrets = new Set(); export const redactedFields = [ @@ -26,9 +29,19 @@ export function sanitize(input: string): string { return output; } +const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:'; + export function addSecretForSanitizing(secret: string): void { + if (!is.nonEmptyString(secret)) { + return; + } secrets.add(secret); - secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens + secrets.add(toBase64(secret)); + if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) { + const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, ''); + secrets.add(trimmedSecret); + secrets.add(toBase64(trimmedSecret)); + } } export function clearSanitizedSecretsList(): void {