fix: do not hide env variable value if shorter than 5

semantic-release · Jul 31, 2018 · b082a2e · b082a2e
1 parent 43d0646
commit b082a2e
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/lib/definitions/constants.js b/lib/definitions/constants.js
@@ -10,4 +10,14 @@ const RELEASE_NOTES_SEPARATOR = '\n\n';
 
 const SECRET_REPLACEMENT = '[secure]';
 
-module.exports = {RELEASE_TYPE, FIRST_RELEASE, COMMIT_NAME, COMMIT_EMAIL, RELEASE_NOTES_SEPARATOR, SECRET_REPLACEMENT};
+const SECRET_MIN_SIZE = 5;
+
+module.exports = {
+  RELEASE_TYPE,
+  FIRST_RELEASE,
+  COMMIT_NAME,
+  COMMIT_EMAIL,
+  RELEASE_NOTES_SEPARATOR,
+  SECRET_REPLACEMENT,
+  SECRET_MIN_SIZE,
+};
diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
@@ -1,9 +1,9 @@
-const {escapeRegExp} = require('lodash');
-const {SECRET_REPLACEMENT} = require('./definitions/constants');
+const {escapeRegExp, size} = require('lodash');
+const {SECRET_REPLACEMENT, SECRET_MIN_SIZE} = require('./definitions/constants');
 
 module.exports = env => {
   const toReplace = Object.keys(env).filter(
-    envVar => /token|password|credential|secret|private/i.test(envVar) && env[envVar].trim()
+    envVar => /token|password|credential|secret|private/i.test(envVar) && size(env[envVar].trim()) >= SECRET_MIN_SIZE
   );
 
   const regexp = new RegExp(toReplace.map(envVar => escapeRegExp(env[envVar])).join('|'), 'g');

diff --git a/test/hide-sensitive.test.js b/test/hide-sensitive.test.js
@@ -1,25 +1,30 @@
 import test from 'ava';
+import {repeat} from 'lodash';
 import hideSensitive from '../lib/hide-sensitive';
+import {SECRET_REPLACEMENT, SECRET_MIN_SIZE} from '../lib/definitions/constants';
 
 test('Replace multiple sensitive environment variable values', t => {
   const env = {SOME_PASSWORD: 'password', SOME_TOKEN: 'secret'};
   t.is(
     hideSensitive(env)(`https://user:${env.SOME_PASSWORD}@host.com?token=${env.SOME_TOKEN}`),
-    'https://user:[secure]@host.com?token=[secure]'
+    `https://user:${SECRET_REPLACEMENT}@host.com?token=${SECRET_REPLACEMENT}`
   );
 });
 
 test('Replace multiple occurences of sensitive environment variable values', t => {
   const env = {secretKey: 'secret'};
   t.is(
     hideSensitive(env)(`https://user:${env.secretKey}@host.com?token=${env.secretKey}`),
-    'https://user:[secure]@host.com?token=[secure]'
+    `https://user:${SECRET_REPLACEMENT}@host.com?token=${SECRET_REPLACEMENT}`
   );
 });
 
 test('Escape regexp special characters', t => {
   const env = {SOME_CREDENTIALS: 'p$^{.+}\\w[a-z]o.*rd'};
-  t.is(hideSensitive(env)(`https://user:${env.SOME_CREDENTIALS}@host.com`), 'https://user:[secure]@host.com');
+  t.is(
+    hideSensitive(env)(`https://user:${env.SOME_CREDENTIALS}@host.com`),
+    `https://user:${SECRET_REPLACEMENT}@host.com`
+  );
 });
 
 test('Accept "undefined" input', t => {
@@ -34,10 +39,20 @@ test('Exclude empty environment variables from the regexp', t => {
   const env = {SOME_PASSWORD: 'password', SOME_TOKEN: ''};
   t.is(
     hideSensitive(env)(`https://user:${env.SOME_PASSWORD}@host.com?token=`),
-    'https://user:[secure]@host.com?token='
+    `https://user:${SECRET_REPLACEMENT}@host.com?token=`
   );
 });
 
 test('Exclude empty environment variables from the regexp if there is only empty ones', t => {
   t.is(hideSensitive({SOME_PASSWORD: '', SOME_TOKEN: ' \n '})(`https://host.com?token=`), 'https://host.com?token=');
 });
+
+test('Exclude environment variables with value shorter than SECRET_MIN_SIZE from the regexp', t => {
+  const SHORT_TOKEN = repeat('a', SECRET_MIN_SIZE - 1);
+  const LONG_TOKEN = repeat('b', SECRET_MIN_SIZE);
+  const env = {SHORT_TOKEN, LONG_TOKEN};
+  t.is(
+    hideSensitive(env)(`https://user:${SHORT_TOKEN}@host.com?token=${LONG_TOKEN}`),
+    `https://user:${SHORT_TOKEN}@host.com?token=${SECRET_REPLACEMENT}`
+  );
+});