renovate/renovate
1
0
Fork 0
mirror of https://github.com/renovatebot/renovate.git synced 2025-01-13 07:26:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

fix: sanitize base64 of all secrets (#14423)

Browse source
This commit is contained in:
Rhys Arkins 2022-02-28 18:07:09 +01:00 committed by GitHub
parent 1151f08d9a
commit 69c9c98cd6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/util/sanitize.spec.ts
View file

@ -11,6 +11,7 @@ describe('util/sanitize', () => {
});
it('sanitizes empty string', () => {
addSecretForSanitizing('');
expect(sanitize(null as never)).toBeNull();
expect(sanitize('')).toBe('');
});
@ -32,4 +33,10 @@ describe('util/sanitize', () => {
const outputX2 = [output, output].join('\n');
expect(sanitize(inputX2)).toBe(outputX2);
});
it('sanitizes github app tokens', () => {
addSecretForSanitizing('x-access-token:abc123');
expect(sanitize(`hello ${toBase64('abc123')} world`)).toBe(
'hello **redacted** world'
);
});
});

15
lib/util/sanitize.ts
View file

@ -1,3 +1,6 @@
import is from '@sindresorhus/is';
import { toBase64 } from './string';
const secrets = new Set<string>();
export const redactedFields = [
@ -26,9 +29,19 @@ export function sanitize(input: string): string {
return output;
}
const GITHUB_APP_TOKEN_PREFIX = 'x-access-token:';
export function addSecretForSanitizing(secret: string): void {
if (!is.nonEmptyString(secret)) {
return;
}
secrets.add(secret);
secrets.add(secret?.replace('x-access-token:', '')); // GitHub App tokens
secrets.add(toBase64(secret));
if (secret.startsWith(GITHUB_APP_TOKEN_PREFIX)) {
const trimmedSecret = secret.replace(GITHUB_APP_TOKEN_PREFIX, '');
secrets.add(trimmedSecret);
secrets.add(toBase64(trimmedSecret));
}
}
export function clearSanitizedSecretsList(): void {