From 43d06461505fb2e7179a3ab3abcdb8331e7d520b Mon Sep 17 00:00:00 2001
From: Pierre Vanduynslager <pierre.denis.vanduynslager@gmail.com>
Date: Mon, 30 Jul 2018 13:58:35 -0400
Subject: [PATCH] fix: also hide sensitive info when loggin from `cli.js`

---
 cli.js                |  6 ++++--
 lib/hide-sensitive.js |  4 +---
 test/cli.test.js      | 14 ++++++++++++++
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/cli.js b/cli.js
index 42ed2685..8bd89f03 100755
--- a/cli.js
+++ b/cli.js
@@ -1,4 +1,6 @@
-const {argv} = require('process');
+const {argv, env, stderr} = require('process');
+const util = require('util');
+const hideSensitive = require('./lib/hide-sensitive');
 
 const stringList = {
   type: 'string',
@@ -57,7 +59,7 @@ Usage:
     return 0;
   } catch (err) {
     if (err.name !== 'YError') {
-      console.error(err);
+      stderr.write(hideSensitive(env)(util.inspect(err, {colors: true})));
     }
     return 1;
   }
diff --git a/lib/hide-sensitive.js b/lib/hide-sensitive.js
index e457adda..bb70d861 100644
--- a/lib/hide-sensitive.js
+++ b/lib/hide-sensitive.js
@@ -7,7 +7,5 @@ module.exports = env => {
   );
 
   const regexp = new RegExp(toReplace.map(envVar => escapeRegExp(env[envVar])).join('|'), 'g');
-  return output => {
-    return output && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output;
-  };
+  return output => (output && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output);
 };
diff --git a/test/cli.test.js b/test/cli.test.js
index 5aaab711..2b1a2910 100644
--- a/test/cli.test.js
+++ b/test/cli.test.js
@@ -1,6 +1,8 @@
 import test from 'ava';
+import {escapeRegExp} from 'lodash';
 import proxyquire from 'proxyquire';
 import {stub} from 'sinon';
+import {SECRET_REPLACEMENT} from '../lib/definitions/constants';
 
 const requireNoCache = proxyquire.noPreserveCache();
 
@@ -208,3 +210,15 @@ test.serial('Return error code if semantic-release throw error', async t => {
   t.regex(t.context.errors, /semantic-release error/);
   t.is(exitCode, 1);
 });
+
+test.serial('Hide sensitive environment variable values from the logs', async t => {
+  const env = {MY_TOKEN: 'secret token'};
+  const run = stub().rejects(new Error(`Throw error: Exposing token ${env.MY_TOKEN}`));
+  const argv = ['', ''];
+  const cli = requireNoCache('../cli', {'.': run, process: {...process, argv, env: {...process.env, ...env}}});
+
+  const exitCode = await cli();
+
+  t.regex(t.context.errors, new RegExp(`Throw error: Exposing token ${escapeRegExp(SECRET_REPLACEMENT)}`));
+  t.is(exitCode, 1);
+});