fix(security): multline secrets trivially transformed are redacted

A multiline secret transformed into a single line by replacing with \ followed by n is also redacted.
2025-09-15 18:57:01 +00:00 · 2025-08-11 11:03:21 +02:00 · 2025-08-11 11:03:21 +02:00 · 6d938ad5ba
commit 6d938ad5ba
parent 592226943f
2 changed files with 22 additions and 6 deletions
--- a/internal/pkg/report/mask.go
+++ b/internal/pkg/report/mask.go
@ -36,13 +36,16 @@ func (o *masker) add(secret string) {
 		slices.SortFunc(o.multiLines, func(a, b []string) int {
 			return cmp.Compare(len(b), len(a))
 		})
-	} else {
-		o.lines = append(o.lines, lines[0])
-		// make sure the longest secret are replaced first
-		slices.SortFunc(o.lines, func(a, b string) int {
-			return cmp.Compare(len(b), len(a))
-		})
+		// a multiline secret transformed into a single line by replacing
+		// newlines with \ followed by n must also be redacted
+		secret = strings.Join(lines, "\\n")
 	}
+
+	o.lines = append(o.lines, secret)
+	// make sure the longest secret are replaced first
+	slices.SortFunc(o.lines, func(a, b string) int {
+		return cmp.Compare(len(b), len(a))
+	})
 }

 func (o *masker) getReplacer() *strings.Replacer {
--- a/internal/pkg/report/mask_test.go
+++ b/internal/pkg/report/mask_test.go
@ -41,6 +41,19 @@ SIX`
 			out:      "line before\n***\n***\n***\nline after\n",
 			needMore: false,
 		},
+		{
+			//
+			// a multiline secret where newlines are represented
+			// as \ followed by n is masked
+			//
+			name: "MultilineTransformedIsMasked",
+			secrets: []string{
+				multiLineOne,
+			},
+			in:       fmt.Sprintf("line before\n%[1]s\\nTWO\\nTHREE\nline after", lineOne),
+			out:      "line before\n***\nline after\n",
+			needMore: false,
+		},
 		{
 			//
 			// in a multiline secret \r\n is equivalent to \n and does