fix: sanitize base64 of all secrets (#14423)

lib/util/sanitize.spec.ts

@@ -11,6 +11,7 @@ describe('util/sanitize', () => {
   });
 
   it('sanitizes empty string', () => {
+    addSecretForSanitizing('');
     expect(sanitize(null as never)).toBeNull();
     expect(sanitize('')).toBe('');
   });
@@ -32,4 +33,10 @@ describe('util/sanitize', () => {
     const outputX2 = [output, output].join('\n');
     expect(sanitize(inputX2)).toBe(outputX2);
   });
+  it('sanitizes github app tokens', () => {
+    addSecretForSanitizing('x-access-token:abc123');
+    expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe(
+      'hello **redacted** world'
+    );
+  });
 });

lib/util/sanitize.ts

@@ -1,3 +1,6 @@
+import is from '@sindresorhus/is';
+import { toBase64 } from './string';
+
 const secrets = new Set<string>();
 
 export const redactedFields = [
@@ -26,9 +29,19 @@ export function sanitize(input: string): string {
   return output;
 }
 
+const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
+
 export function addSecretForSanitizing(secret: string): void {
+  if (!is.nonEmptyString(secret)) {
+    return;
+  }
   secrets.add(secret);
-  secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens
+  secrets.add(toBase64(secret));
+  if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
+    const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, '');
+    secrets.add(trimmedSecret);
+    secrets.add(toBase64(trimmedSecret));
+  }
 }
 
 export function clearSanitizedSecretsList(): void {