Merge pull request #12414 from alebcay/create_github_pr_redact_secrets

GitHub.create_bump_pr: don't leak GitHub token if set via environment variable

Merge pull request #12414 from alebcay/create_github_pr_redact_secrets
GitHub.create_bump_pr: don't leak GitHub token if set via environment variable
449d0430 · Mike McQuaid · GitHub · 6c341516 · 333f44f8 · 449d0430
--- a/Library/Homebrew/system_command.rb
+++ b/Library/Homebrew/system_command.rb
@@ -53,10 +53,10 @@ class SystemCommand
    each_output_line do |type, line|
      case type
      when :stdout
-        $stdout << line if print_stdout?
+        $stdout << redact_secrets(line, @secrets) if print_stdout?
        @output << [:stdout, line]
      when :stderr
-        $stderr << line if print_stderr?
+        $stderr << redact_secrets(line, @secrets) if print_stderr?
        @output << [:stderr, line]
      end
    end

--- a/Library/Homebrew/test/system_command_spec.rb
+++ b/Library/Homebrew/test/system_command_spec.rb
@@ -282,6 +282,30 @@ describe SystemCommand do
      end
    end

+    context "when running a process that prints secrets" do
+      it "does not leak the secrets" do
+        redacted_msg = /#{Regexp.escape("username:******")}/
+        expect {
+          described_class.run! "echo",
+                               args:         %w[username:hunter2],
+                               verbose:      true,
+                               print_stdout: true,
+                               secrets:      %w[hunter2]
+        }.to output(redacted_msg).to_stdout
+      end
+
+      it "does not leak the secrets set by environment" do
+        redacted_msg = /#{Regexp.escape("username:******")}/
+        expect {
+          ENV["PASSWORD"] = "hunter2"
+          described_class.run! "echo",
+                               args:         %w[username:hunter2],
+                               print_stdout: true,
+                               verbose:      true
+        }.to output(redacted_msg).to_stdout
+      end
+    end
+
    context "when a `SIGINT` handler is set in the parent process" do
      it "is not interrupted" do
        start_time = Time.now

--- a/Library/Homebrew/utils/github.rb
+++ b/Library/Homebrew/utils/github.rb
@@ -5,12 +5,16 @@ require "uri"
 require "utils/github/actions"
 require "utils/github/api"

+require "system_command"
+
 # Wrapper functions for the GitHub API.
 #
 # @api private
 module GitHub
  extend T::Sig

+  include SystemCommand::Mixin
+
  module_function

  def check_runs(repo: nil, commit: nil, pr: nil)
@@ -530,7 +534,8 @@ module GitHub
                    "--", *changed_files
        return if args.commit?

-        safe_system "git", "push", "--set-upstream", remote_url, "#{branch}:#{branch}"
+        system_command!("git", args:         ["push", "--set-upstream", remote_url, "#{branch}:#{branch}"],
+                               print_stdout: true)
        safe_system "git", "checkout", "--quiet", previous_branch
        pr_message = <<~EOS
          #{pr_message}