diff --git a/packages/core/src/percy.js b/packages/core/src/percy.js index 1bab43d7a..910befc0f 100644 --- a/packages/core/src/percy.js +++ b/packages/core/src/percy.js @@ -863,7 +863,10 @@ export class Percy { if (!process.env.PERCY_TOKEN) return; try { const logsObject = { - clilogs: logger.query(log => !['ci'].includes(log.debug)) + // Redact secrets from CLI logs before egress to the Percy API — these + // can contain tokens or URLs with embedded credentials (CWE-532). The + // cilogs below were already redacted; clilogs were not. + clilogs: redactSecrets(logger.query(log => !['ci'].includes(log.debug))) }; // Only add CI logs if not disabled voluntarily. diff --git a/packages/core/src/secretPatterns.yml b/packages/core/src/secretPatterns.yml index 12bc3e089..26328bef5 100644 --- a/packages/core/src/secretPatterns.yml +++ b/packages/core/src/secretPatterns.yml @@ -7021,4 +7021,8 @@ patterns: - pattern: name: Bitcoin Address regex: '^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$' + confidence: high + - pattern: + name: Percy Token + regex: '(web|app|auto|ss|vmw|res)_[A-Za-z0-9]{20,}' confidence: high \ No newline at end of file diff --git a/packages/core/src/snapshot.js b/packages/core/src/snapshot.js index 8d23e9352..703f86ab5 100644 --- a/packages/core/src/snapshot.js +++ b/packages/core/src/snapshot.js @@ -45,21 +45,31 @@ function validateAndFixSnapshotUrl(snapshot) { // used to deserialize regular expression strings const RE_REGEXP = /^\/(.+)\/(\w+)?$/; +// Upper bound on the snapshot name length we will run user-controllable +// regex/glob matching against. A crafted, very long snapshot name reaching this +// matcher (e.g. via the local API) combined with a backtracking-prone pattern +// could otherwise trigger catastrophic backtracking / ReDoS (CWE-1333). Real +// snapshot names are short; an over-long name simply does not match patterns. +const MAX_MATCH_INPUT_LENGTH = 2048; + // Returns true or false if a snapshot matches the provided include and exclude predicates. A // predicate can be an array of predicates, a regular expression, a glob pattern, or a function. function snapshotMatches(snapshot, include, exclude) { // support an options object as the second argument if (include?.include || include?.exclude) ({ include, exclude } = include); + // guard pattern matching against pathologically long inputs (ReDoS) + let patternSafe = typeof snapshot.name === 'string' && snapshot.name.length <= MAX_MATCH_INPUT_LENGTH; + // recursive predicate test function let test = (predicate, fallback) => { if (predicate && typeof predicate === 'string') { - // snapshot name matches exactly or matches a glob + // exact match is always safe; glob matching is only run on bounded input let result = snapshot.name === predicate || - micromatch.isMatch(snapshot.name, predicate); + (patternSafe && micromatch.isMatch(snapshot.name, predicate)); - // snapshot might match a string-based regexp pattern - if (!result) { + // snapshot might match a string-based regexp pattern (bounded input only) + if (!result && patternSafe) { try { let [, parsed, flags] = RE_REGEXP.exec(predicate) || []; result = !!parsed && new RegExp(parsed, flags).test(snapshot.name); @@ -68,8 +78,8 @@ function snapshotMatches(snapshot, include, exclude) { return result; } else if (predicate instanceof RegExp) { - // snapshot matches a regular expression - return predicate.test(snapshot.name); + // snapshot matches a regular expression (bounded input only) + return patternSafe && predicate.test(snapshot.name); } else if (typeof predicate === 'function') { // advanced matching return predicate(snapshot); diff --git a/packages/core/src/utils.js b/packages/core/src/utils.js index bdc206587..39c5b49f0 100644 --- a/packages/core/src/utils.js +++ b/packages/core/src/utils.js @@ -615,10 +615,23 @@ export async function withRetries(fn, { count, onRetry, signal, throwOn }) { } } -export function redactSecrets(data) { - const filepath = path.resolve(url.fileURLToPath(import.meta.url), '../secretPatterns.yml'); - const secretPatterns = YAML.parse(readFileSync(filepath, 'utf-8')); +// Lazily load and compile the secret patterns once. The pattern file holds +// ~1.7k regexes; parsing the YAML and compiling every RegExp on each call made +// redactSecrets O(patterns) per string and re-read the file for every recursive +// call. Since redactSecrets now runs over the full CLI log array on egress +// (sendBuildLogs), that per-call cost is paid hundreds of times and could blow +// past test/runtime timeouts. Compile once and reuse. +let _compiledSecretPatterns; +function getSecretPatterns() { + if (!_compiledSecretPatterns) { + const filepath = path.resolve(url.fileURLToPath(import.meta.url), '../secretPatterns.yml'); + const secretPatterns = YAML.parse(readFileSync(filepath, 'utf-8')); + _compiledSecretPatterns = secretPatterns.patterns.map(p => new RegExp(p.pattern.regex, 'g')); + } + return _compiledSecretPatterns; +} +export function redactSecrets(data) { if (Array.isArray(data)) { // Process each item in the array return data.map(item => redactSecrets(item)); @@ -627,8 +640,8 @@ export function redactSecrets(data) { data.message = redactSecrets(data.message); } if (typeof data === 'string') { - for (const pattern of secretPatterns.patterns) { - data = data.replace(new RegExp(pattern.pattern.regex, 'g'), '[REDACTED]'); + for (const pattern of getSecretPatterns()) { + data = data.replace(pattern, '[REDACTED]'); } } return data; diff --git a/packages/core/test/unit/utils.test.js b/packages/core/test/unit/utils.test.js index 7b143cd61..62bd392f6 100644 --- a/packages/core/test/unit/utils.test.js +++ b/packages/core/test/unit/utils.test.js @@ -220,6 +220,17 @@ describe('Unit / Utils', () => { }); }); + describe('Percy token prefixes', () => { + for (const prefix of ['web', 'app', 'auto', 'ss', 'vmw', 'res']) { + it(`redacts a ${prefix}_ Percy token`, () => { + let token = `${prefix}_aB3dE7gH1jK4mN6pQ9sTuVwXyZ012345`; + let redacted = redactSecrets(`Authenticated build using ${token} now`); + expect(redacted).toContain('[REDACTED]'); + expect(redacted).not.toContain(token); + }); + } + }); + describe('base64encode', () => { it('should return base64 string', () => { expect(base64encode('abcd')).toEqual('YWJjZA==');