Fix Harden regular expression to used to strip secrets in logs (#4563)…

… [ci fast] Include option to strip secrets from single-quoted strings Signed-off-by: Rob Syme <[email protected]>
nextflow-io · Dec 9, 2023 · 832bff2 · 832bff2
1 parent d3c2f33
commit 832bff2
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/modules/nf-commons/src/main/nextflow/util/StringUtils.groovy b/modules/nf-commons/src/main/nextflow/util/StringUtils.groovy
@@ -56,7 +56,7 @@ class StringUtils {
         return m.matches() ? m.group(1).toLowerCase() : null
     }
 
-    static private Pattern multilinePattern = ~/"?(password|token|secret|license)"?\s?[:=]\s?"?(\w+)"?/
+    static private Pattern multilinePattern = ~/["']?(password|token|secret|license)["']?\s?[:=]\s?["']?(\w+)["']?/
 
     static String stripSecrets(String message) {
         if (message == null) {

diff --git a/modules/nf-commons/src/test/nextflow/util/StringUtilsTest.groovy b/modules/nf-commons/src/test/nextflow/util/StringUtilsTest.groovy
@@ -100,13 +100,15 @@ class StringUtilsTest extends Specification {
         StringUtils.stripSecrets(SECRET) == EXPECTED
 
         where:
-        SECRET                                  | EXPECTED
-        'Hi\n here is the "password" : "1234"'  | 'Hi\n here is the "password" : "********"'
-        'Hi\n here is the password : "1"'       | 'Hi\n here is the password : "********"'
-        'Hi\n here is the password : "1"'       | 'Hi\n here is the password : "********"'
-        'Hi\n "password" :"1" \n "token": "123"'| 'Hi\n "password" :"********" \n "token": "********"'
-        'Hi\n password :"1"\nsecret: "345"'     | 'Hi\n password :"********"\nsecret: "********"'
-        'secret="abc" password:"1" more text'   | 'secret="********" password:"********" more text'
+        SECRET                                          | EXPECTED
+        'Hi\n here is the "password" : "1234"'          | 'Hi\n here is the "password" : "********"'
+        'Hi\n here is the password : "1"'               | 'Hi\n here is the password : "********"'
+        'Hi\n here is the password : \'1\''             | 'Hi\n here is the password : \'********\''
+        'Hi\n "password" :"1" \n "token": "123"'        | 'Hi\n "password" :"********" \n "token": "********"'
+        'Hi\n "password" :\'1\' \n "token": "123"'      | 'Hi\n "password" :\'********\' \n "token": "********"'
+        'Hi\n \'password\' :\'1\' \n \'token\': \'123\''| 'Hi\n \'password\' :\'********\' \n \'token\': \'********\''
+        'Hi\n password :"1"\nsecret: "345"'             | 'Hi\n password :"********"\nsecret: "********"'
+        'secret="abc" password:"1" more text'           | 'secret="********" password:"********" more text'
     }
 
     @Unroll