fix: scrubbing more aggressively anything in the logs that MIGHT be password affiliated (handling spaces in secrets)

Author: mmaietta

.changeset/shaggy-garlics-joke.md

@@ -0,0 +1,5 @@
+---
+"builder-util": patch
+---
+
+fix: scrubbing more aggressively anything in the logs that MIGHT be password affiliated (handling spaces in secrets)

packages/builder-util/src/util.ts

@@ -42,13 +42,29 @@ export function serializeToYaml(object: any, skipInvalid = false, noRefs = false
   })
 }
 
-export function removePassword(input: string) {
-  return input.replace(/(-String |-P |pass:| \/p |-pass |--secretKey |--accessKey |-p )([^ ]+)/g, (match, p1, p2) => {
-    if (p1.trim() === "/p" && p2.startsWith("\\\\Mac\\Host\\\\")) {
-      // appx /p
-      return `${p1}${p2}`
+export function removePassword(input: string): string {
+  const blockList = ["--accessKey", "--secretKey", "-P", "-p", "-pass", "-String", "/p", "pass:"]
+
+  // Create a regex pattern that supports:
+  //   - space-separated unquoted values: --key value
+  //   - quoted values: --key "value with spaces" or 'value with spaces'
+  const blockPattern = new RegExp(`(${blockList.map(s => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|")})\\s*(?:(["'])(.*?)\\2|([^\\s]+))`, "g")
+
+  input = input.replace(blockPattern, (_match, prefix, quote, quotedVal, unquotedVal) => {
+    const value = quotedVal ?? unquotedVal
+
+    if (prefix.trim() === "/p" && value.startsWith("\\\\Mac\\Host\\\\")) {
+      return `${prefix}${quote ?? ""}${value}${quote ?? ""}`
     }
-    return `${p1}${createHash("sha256").update(p2).digest("hex")} (sha256 hash)`
+
+    const hashed = createHash("sha256").update(value).digest("hex")
+    return `${prefix}${quote ?? ""}${hashed} (sha256 hash)${quote ?? ""}`
+  })
+
+  // Also handle `/b ... /c` block format
+  return input.replace(/(\/b\s+)(.*?)(\s+\/c)/g, (_match, p1, p2, p3) => {
+    const hashed = createHash("sha256").update(p2).digest("hex")
+    return `${p1}${hashed} (sha256 hash)${p3}`
   })
 }