do not mask single-character secrets

4 years ago · 7df9235cfb
parent 437a98da19
commit 7df9235cfb
3 changed files with 27 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Fixed
 - fix panic when registry uri parsing errors
+- do not mask single-character secrets

 ## [1.6.0] - 2020-03-24
 ### Added
--- a/pipeline/runtime/replacer.go
+++ b/pipeline/runtime/replacer.go
@ -27,7 +27,9 @@ func newReplacer(w io.WriteCloser, secrets []Secret) io.WriteCloser {
 		for _, part := range strings.Split(v, "\n") {
 			part = strings.TrimSpace(part)

-			if len(part) == 0 {
+			// avoid masking empty or single character
+			// strings.
+			if len(part) < 2 {
 				continue
 			}

--- a/pipeline/runtime/replacer_test.go
+++ b/pipeline/runtime/replacer_test.go
@ -56,6 +56,29 @@ r9nicR5wDy2W
 	}
 }

+func TestReplaceMultilineJson(t *testing.T) {
+	key := `{
+  "token":"MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm"
+}`
+
+	line := `{
+  "token":"MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA0SC5BIYpanOv6wSm"
+}`
+
+	secrets := []Secret{
+		&mockSecret{Name: "JSON_KEY", Data: key, Mask: true},
+	}
+
+	buf := new(bytes.Buffer)
+	w := newReplacer(&nopCloser{buf}, secrets)
+	w.Write([]byte(line))
+	w.Close()
+
+	if got, want := buf.String(), "{\n  ******\n}"; got != want {
+		t.Errorf("Want masked string %s, got %s", want, got)
+	}
+}
+
 // this test verifies that if there are no secrets to scan and
 // mask, the io.WriteCloser is returned as-is.
 func TestReplaceNone(t *testing.T) {