Merge pull request #1419 from intuit/leaky-token

don't leak GH_TOKEN in exec promise output

Author: hipstersmoothie

packages/core/src/auto.ts

@@ -569,7 +569,7 @@ export default class Auto {
     this.logger.verbose.info(
       `Using remote: ${this.remote.replace(
         token,
-        `****${token.substring(0, 4)}`
+        `****${token.slice(-4)}`
       )}`
     );
     this.hooks.onCreateRelease.call(this.release);

packages/core/src/utils/__tests__/exec-promise.test.ts

@@ -29,6 +29,14 @@ test("fails correctly", async () => {
   );
 });
 
+test("fails correctly with GH_TOKEN", async () => {
+  process.env.GH_TOKEN = '1234567890'
+  expect.assertions(1);
+  return expect(exec("false", [process.env.GH_TOKEN])).rejects.toMatchInlineSnapshot(
+    `[Error: Running command 'false' with args [****7890] failed]`
+  );
+});
+
 test("appends stdout and stderr", async () => {
   expect.assertions(1);
   return expect(

packages/core/src/utils/exec-promise.ts

@@ -66,11 +66,15 @@ export default async function execPromise(
         let appendedStdErr = "";
         appendedStdErr += allStdout.length ? `\n\n${allStdout}` : "";
         appendedStdErr += allStderr.length ? `\n\n${allStderr}` : "";
+        const argList = filteredArgs
+          .join(", ")
+          .replace(
+            new RegExp(`${process.env.GH_TOKEN}`, "g"),
+            `****${(process.env.GH_TOKEN || "").slice(-4)}`
+          );
 
         const error = new Error(
-          `Running command '${cmd}' with args [${args.join(
-            ", "
-          )}] failed${appendedStdErr}`
+          `Running command '${cmd}' with args [${argList}] failed${appendedStdErr}`
         );
         error.stack = (error.stack || "") + callSite;
         reject(error);