fix(security): multline secrets trivially transformed are redacted (#845)

A multiline secret transformed into a single line by replacing with \ followed by n is also redacted.

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/845): <!--number 845 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogbXVsdGxpbmUgc2VjcmV0cyB0cml2aWFsbHkgdHJhbnNmb3JtZWQgYXJlIHJlZGFjdGVk-->fix(security): multline secrets trivially transformed are redacted<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/845
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>

internal/pkg/report/mask.go

@@ -36,13 +36,16 @@ func (o *masker) add(secret string) {
 		slices.SortFunc(o.multiLines, func(a, b []string) int {
 			return cmp.Compare(len(b), len(a))
 		})
-	} else {
-		o.lines = append(o.lines, lines[0])
-		// make sure the longest secret are replaced first
-		slices.SortFunc(o.lines, func(a, b string) int {
-			return cmp.Compare(len(b), len(a))
-		})
+		// a multiline secret transformed into a single line by replacing
+		// newlines with \ followed by n must also be redacted
+		secret = strings.Join(lines, "\\n")
 	}
+
+	o.lines = append(o.lines, secret)
+	// make sure the longest secret are replaced first
+	slices.SortFunc(o.lines, func(a, b string) int {
+		return cmp.Compare(len(b), len(a))
+	})
 }
 
 func (o *masker) getReplacer() *strings.Replacer {