Merge pull request #11837 from soapy1/scrub-whole-word-credentials

Scrub credentials as whole words, don't capture matching substrings

lib/vagrant/action/builtin/mixin_synced_folders.rb

@@ -99,10 +99,6 @@ module Vagrant
 
           folder_data = JSON.dump(folders)
 
-          # Scrub any register credentials from the synced folders
-          # configuration data to prevent accidental leakage
-          folder_data = Util::CredentialScrubber.desensitize(folder_data)
-
           machine.data_dir.join("synced_folders").open("w") do |f|
             f.write(folder_data)
           end

lib/vagrant/util/credential_scrubber.rb

@@ -32,7 +32,7 @@ module Vagrant
       def self.desensitize(string)
         string = string.to_s.dup
         sensitive_strings.each do |remove|
-          string.gsub!(remove, REPLACEMENT_TEXT)
+          string.gsub!(/(\W|^)#{Regexp.escape(remove)}(\W|$)/, "\\1#{REPLACEMENT_TEXT}\\2")
         end
         string
       end

test/unit/vagrant/action/builtin/mixin_synced_folders_test.rb

@@ -273,11 +273,6 @@ describe Vagrant::Action::Builtin::MixinSyncedFolders do
       subject.save_synced_folders(machine, folders, options)
     end
 
-    it "should call credential scrubber before writing file" do
-      expect(Vagrant::Util::CredentialScrubber).to receive(:desensitize).and_call_original
-      subject.save_synced_folders(machine, folders, options)
-    end
-
     context "when folder data is defined" do
       let(:folders) {
         {"root" => {
@@ -288,31 +283,6 @@ describe Vagrant::Action::Builtin::MixinSyncedFolders do
         expect(output_file).to receive(:write).with(JSON.dump(folders))
         subject.save_synced_folders(machine, folders, options)
       end
-
-      context "when folder data configuration includes sensitive data" do
-        let(:password) { "VAGRANT_TEST_PASSWORD" }
-
-        before do
-          folders["root"][:folder_password] = password
-          Vagrant::Util::CredentialScrubber.sensitive(password)
-        end
-
-        after { Vagrant::Util::CredentialScrubber.unsensitive(password) }
-
-        it "should not include password when writing file" do
-          expect(output_file).to receive(:write) do |content|
-            expect(content).not_to include(password)
-          end
-          subject.save_synced_folders(machine, folders, options)
-        end
-
-        it "should mask password content when writing file" do
-          expect(output_file).to receive(:write) do |content|
-            expect(content).to include(Vagrant::Util::CredentialScrubber::REPLACEMENT_TEXT)
-          end
-          subject.save_synced_folders(machine, folders, options)
-        end
-      end
     end
   end
 

test/unit/vagrant/util/credential_scrubber_test.rb

@@ -94,5 +94,30 @@ describe Vagrant::Util::CredentialScrubber do
         end
       end
     end
+
+    context "with sensitive words that are part of non-sensitive words" do
+      let(:to_scrub){ ["a"] }
+     
+      it "should not remove parts of words" do
+        result = subject.desensitize(string)
+        to_scrub.each do |registered_value|
+          expect(result).not_to match(/(\W|^)#{registered_value}(\W|$)/)
+        end
+        expect(result).to include("my-birthday")
+        expect(result).to include("my-cats-birthday")
+      end
+    end
+
+    context "with sensitive words that are part of non-sensitive words" do
+      let(:to_scrub){ ["avery@strange/string^indeed!"] }
+      let(:string){ "a line of text with avery@strange/string^indeed! my-birthday and my-cats-birthday embedded" }
+
+      it "should work for strings with escape characters" do
+        result = subject.desensitize(string)
+        to_scrub.each do |registered_value|
+          expect(result).not_to include(registered_value)
+        end
+      end
+    end
   end
 end