Improved and reliable secret masking (#569)

* Upgrade target to ES2021 * Improved and reliable secret masking
devcontainers · Jun 29, 2023 · 74d9244 · 74d9244
1 parent 1d943a7
commit 74d9244
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 12 deletions.
diff --git a/src/spec-utils/log.ts b/src/spec-utils/log.ts
@@ -299,27 +299,34 @@ export function toWarningText(str: string) {
 
 export function replaceAllLog(origin: LogHandler, values: string[], replacement: string): LogHandler {
 	values = values
-		.map(v => v.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'))
-		.filter(v => v.length);
+		.filter(v => v.length)
+		.sort((a, b) => b.length - a.length);
 	if (!values.length) {
 		return origin;
 	}
-	const r = new RegExp(values.join('|'), 'g');
 	return {
 		event: e => {
 			if ('text' in e) {
 				origin.event({
 					...e,
-					text: e.text.replace(r, replacement),
+					text: replaceValues(e.text, replacement, values),
 				});
 			} else if (e.type === 'progress' && e.stepDetail) {
 				origin.event({
 					...e,
-					stepDetail: e.stepDetail.replace(r, replacement),
+					stepDetail: replaceValues(e.stepDetail, replacement, values),
 				});
 			} else {
 				origin.event(e);
 			}
 		}
 	};
 }
+
+function replaceValues(str: string, replacement: string, values: string[]) {
+	values.forEach(x => {
+		str = str.replaceAll(x, replacement);
+	});
+
+	return str;
+}
diff --git a/src/test/cli.up.test.ts b/src/test/cli.up.test.ts
@@ -49,13 +49,8 @@ describe('Dev Containers CLI', function () {
 			const testFolder = `${__dirname}/configs`;
 			let containerId: string | null = null;
 			await shellExec(`rm -f ${testFolder}/*.testMarker`, undefined, undefined, true);
-			const secrets = {
-				'SECRET1': 'SecretValue1',
-				'MASK_IT': 'container',
-			};
-			await shellExec(`printf '${JSON.stringify(secrets)}' > ${testFolder}/test-secrets-temp.json`, undefined, undefined, true);
 
-			const res = await shellExec(`${cli} up --workspace-folder ${__dirname}/configs/image-with-git-feature --dotfiles-repository https://github.com/codspace/test-dotfiles --secrets-file ${testFolder}/test-secrets-temp.json --log-level trace --log-format json`);
+			const res = await shellExec(`${cli} up --workspace-folder ${__dirname}/configs/image-with-git-feature --dotfiles-repository https://github.com/codspace/test-dotfiles --secrets-file ${testFolder}/test-secrets.json --log-level trace --log-format json`);
 			const response = JSON.parse(res.stdout);
 			assert.equal(response.outcome, 'success');
 			containerId = response.containerId;
@@ -71,7 +66,7 @@ describe('Dev Containers CLI', function () {
 			assert.match(stdout, /TEST_REMOTE_ENV=Value 1/);
 
 			// assert secret masking
-			// We log the message `Starting container` from CLI. Since the word `container` is specified as a secret here, that should get masked
+			// We log the message `Starting container` from CLI. Since the word `container` is specified as a secret (in test-secrets.json), that should get masked
 			const logs = res.stderr;
 			assert.match(logs, /Starting \*\*\*\*\*\*\*\*/);
 			assert.doesNotMatch(logs, /Starting container/);