Add redaction support for all token types

williammartin · williammartin · commit fa3c22e38b9b · 2024-10-24T15:02:15.000+02:00
diff --git a/testscript/testscript.go b/testscript/testscript.go
@@ -883,19 +883,23 @@ func (ts *TestScript) condition(cond string) (bool, error) {
 
 // Helpers for command implementations.
 
-// redactTokens looks at the entire string looking for strings that start with
-// gho_ or ghp_, then it finds everything after _ until a whitespace separator,
-// and replaces those characters with asterisks (e.g. gho_abc123 -> gho_******).
+// redactTokens looks at the entire string looking for strings that start with a known token prefix,
+// keeps the prefix that distinguishes the token type and masks the rest of the token with asterisks.
+// Note that it does not attempt to distinguish the end of a token from any suffixed characters so
+// gho_mytokenNOTATOKEN will mask the entirity of the string.
 func redactTokens(s string) string {
 	// Regular expression to match "ghp_" or "gho_" followed by any sequence of non-whitespace characters
-	re := regexp.MustCompile(`(gh[op]_)\S+`)
+	re := regexp.MustCompile(`(gh[pousr]_|github_pat_)\S+`)
 
 	// Replace matched strings with the prefix followed by asterisks
 	return re.ReplaceAllStringFunc(s, func(match string) string {
-		// Keep the "ghp_" or "gho_" prefix and replace the rest with asterisks
-		prefix := match[:4]                         // "ghp_" or "gho_"
-		length := len(match[4:])                    // Length of the remaining characters to be redacted
-		return prefix + strings.Repeat("*", length) // Replace the rest with asterisks
+		// If the match is gh then we want to keep the first 4 characters and redact everything else,
+		// otherwise, it must be a github_pat_ and then we keep the first 11 characters and redact everything else.
+		prefixLength := 4
+		if strings.HasPrefix(match, "github_pat_") {
+			prefixLength = 11
+		}
+		return match[:prefixLength] + strings.Repeat("*", len(match)-prefixLength)
 	})
 }
 
diff --git a/testscript/testscript_test.go b/testscript/testscript_test.go
@@ -411,59 +411,64 @@ func TestBadDir(t *testing.T) {
 }
 
 func TestRedactTokens(t *testing.T) {
+	// https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
+	tokensToRedacted := map[string]string{
+		"ghp_1234567890":        "ghp_**********",
+		"github_pat_1234567890": "github_pat_**********",
+		"gho_1234567890":        "gho_**********",
+		"ghu_1234567890":        "ghu_**********",
+		"ghs_1234567890":        "ghs_**********",
+		"ghr_1234567890":        "ghr_**********",
+	}
+
 	tests := []struct {
 		name  string
 		input string
 		want  string
 	}{
 		{
-			name:  "no token",
-			input: "no token",
-			want:  "no token",
-		},
-		{
-			name:  "oauth token at start",
-			input: "gho_1234567890",
-			want:  "gho_**********",
-		},
-		{
-			name:  "oauth token at end",
-			input: "this is a gho_1234567890",
-			want:  "this is a gho_**********",
+			name:  "token at start",
+			input: "%s",
+			want:  "%s",
 		},
 		{
-			name:  "oauth token in middle",
-			input: "this is a gho_1234567890 and this is redacted",
-			want:  "this is a gho_********** and this is redacted",
+			name:  "token at end",
+			input: "this is a %s",
+			want:  "this is a %s",
 		},
 		{
-			name:  "oauth token at start with newline",
-			input: "gho_1234567890\n",
-			want:  "gho_**********\n",
+			name:  "token in middle",
+			input: "this is a %s and this is redacted",
+			want:  "this is a %s and this is redacted",
 		},
 		{
-			name:  "oauth token with no preceding word boundary",
-			input: "foogho_1234567890",
-			want:  "foogho_**********",
+			name:  "token at start with newline",
+			input: "%s\n",
+			want:  "%s\n",
 		},
 		{
-			name:  "oauth token no word boundary (extends redaction into next word)",
-			input: "gho_1234567890x",
-			want:  "gho_***********",
+			name:  "token with no preceding word boundary",
+			input: "foo%s",
+			want:  "foo%s",
 		},
 		{
-			name:  "pat token",
-			input: "ghp_1234567890",
-			want:  "ghp_**********",
+			name:  "token no word boundary (extends redaction into next word)",
+			input: "%sx",
+			want:  "%s*",
 		},
 	}
 
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			if got := redactTokens(test.input); got != test.want {
-				t.Fatalf("redactTokens(%q) == %q, want %q", test.input, got, test.want)
-			}
-		})
+	for token, redacted := range tokensToRedacted {
+		for _, test := range tests {
+			t.Run(fmt.Sprintf("%s: %s", token, test.name), func(t *testing.T) {
+				unredacted := fmt.Sprintf(test.input, token)
+				expected := fmt.Sprintf(test.want, redacted)
+
+				if got := redactTokens(unredacted); got != expected {
+					t.Fatalf("redactTokens(%q) == %q, want %q", unredacted, got, expected)
+				}
+			})
+		}
 	}
 }
 
