chore/fix(log): moving secret masking to log type (#225)

* moving secret masking to log type * use quotemeta instead of hack solution * adding comments and addressing an edge case * clean up mask data function Co-authored-by: Jordan Brockopp <[email protected]>
go-vela · Jan 19, 2022 · 0787a67 · 0787a67
1 parent 5a3c46e
commit 0787a67
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 1 deletion.
diff --git a/library/log.go b/library/log.go
@@ -4,7 +4,12 @@
 
 package library
 
-import "fmt"
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/go-vela/types/constants"
+)
 
 // Log is the library representation of a log for a step in a build.
 //
@@ -36,6 +41,35 @@ func (l *Log) AppendData(data []byte) {
 	l.SetData(append(l.GetData(), data...))
 }
 
+// MaskData reads through the log data and masks
+// all values provided in the string slice. If the
+// log is empty, we do nothing.
+func (l *Log) MaskData(secrets []string) {
+	data := l.GetData()
+	for _, secret := range secrets {
+		// escape regexp meta characters if they exist within value of secret
+		//
+		// https://pkg.go.dev/regexp#QuoteMeta
+		escaped := regexp.QuoteMeta(secret)
+
+		// create regexp to match secrets in the log data surrounded by regexp metacharacters
+		//
+		// https://pkg.go.dev/regexp#MustCompile
+		re := regexp.MustCompile((`(\s|^|"|:|'|\.|,)` + escaped + `(\s|$|"|:|'|\.|,)`))
+
+		// create a mask for the secret
+		mask := fmt.Sprintf("$1%s$2", constants.SecretLogMask)
+
+		// replace all regexp matches of secret with mask
+		//
+		// https://pkg.go.dev/regexp#Regexp.ReplaceAll
+		data = re.ReplaceAll(data, []byte(mask))
+	}
+
+	// update data field to masked logs
+	l.SetData(data)
+}
+
 // GetID returns the ID field.
 //
 // When the provided Log type is nil, or the field within

diff --git a/library/log_test.go b/library/log_test.go
@@ -42,6 +42,55 @@ func TestLibrary_Log_AppendData(t *testing.T) {
 	}
 }
 
+func TestLibrary_Log_MaskData(t *testing.T) {
+	// set up test secrets
+	sVals := []string{"secret", "((%.YY245***pP.><@@}}", "littlesecret", "extrasecret"}
+
+	// set up test logs
+	s1 := "$ echo $NO_SECRET\nnosecret\n"
+	s2 := "((%.YY245***pP.><@@}}"
+	s2Masked := "***"
+	s3 := "$ echo $SECRET1\n((%.YY245***pP.><@@}}\n$ echo $SECRET2\nlittlesecret\n"
+	s3Masked := "$ echo $SECRET1\n***\n$ echo $SECRET2\n***\n"
+
+	tests := []struct {
+		want    []byte
+		log     []byte
+		secrets []string
+	}{
+		{ // no secrets in log
+			want:    []byte(s1),
+			log:     []byte(s1),
+			secrets: sVals,
+		},
+		{ // one secret in log
+			want:    []byte(s2Masked),
+			log:     []byte(s2),
+			secrets: sVals,
+		},
+		{ // multiple secrets in log
+			want:    []byte(s3Masked),
+			log:     []byte(s3),
+			secrets: sVals,
+		},
+		{ // empty secrets slice
+			want:    []byte(s3),
+			log:     []byte(s3),
+			secrets: []string{},
+		},
+	}
+	// run tests
+	l := testLog()
+	for _, test := range tests {
+		l.SetData(test.log)
+		l.MaskData(test.secrets)
+		got := l.GetData()
+		if !reflect.DeepEqual(got, test.want) {
+			t.Errorf("MaskData is %v, want %v", string(got), string(test.want))
+		}
+	}
+}
+
 func TestLibrary_Log_Getters(t *testing.T) {
 	// setup tests
 	tests := []struct {