Merge branch 'main' into fix/secret-scanning-locations-types

Author: theztefan

LATEST-VERSION.txt

@@ -1 +1 @@
-v1.12.0
+v1.13.0

RELEASENOTES.md

@@ -1,2 +1,2 @@
 - Improved location matching logic for Secret Scanning alert locations in - `gh gei migrate-secret-alerts`.
-- Fixed a bug in `gh gei migrate-secret-alerts` where alerts with locations of non `commit` and `wiki_commit` type were not matched correctly.
+- Fixed a bug in `gh gei migrate-secret-alerts` where alerts with locations of non `commit` and `wiki_commit` type were not matched correctly.

releasenotes/v1.13.0.md

@@ -0,0 +1,2 @@
+- `gh gei migrate-repo` logs the git and metadata archive download paths when `--keep-archive` is used.
+- Redact sensitive query arguments in SAS URLs

src/Octoshift/Services/OctoLogger.cs

@@ -34,8 +34,12 @@ public class OctoLogger
 
     private readonly List<string> _redactionPatterns =
     [
-        "\\b(?<=token=)(.+?)\\b",
-        "\\b(?<=X-Amz-Credential=)(.+?)\\b",
+        // General purpose "Don't include the token"
+        "\\b(?<=token=)([^&]+?)\\b",
+        // AWS SIGv4 credential
+        "\\b(?<=X-Amz-Credential=)([^&]+?)\\b",
+        // Azure Blob Store SAS URL signature
+        "\\b(?<=sig=)([^&]+?)\\b",
     ];
 
     public OctoLogger()

src/OctoshiftCLI.Tests/Octoshift/Services/OctoLoggerTests.cs

@@ -110,6 +110,35 @@ public void Aws_Url_X_Aws_Credential_Parameters_Should_Be_Replaced_In_Logs_And_C
         _consoleOutput.ToLower().Should().Contain("&x-amz-credential=***");
     }
 
+    [Theory]
+    [InlineData("https://t3a00c49dev02arg01sa01.blob.core.windows.net/migration-archives-a9fd67c9-e987-4b3e-9cf2-439a95b7f275/f4e871a0-3214-4f94-a82b-8937cece6234.tar?sv=2023-11-03&se=2025-04-10T22%3A32%3A24Z&sr=b&sp=r&sig=y1rXBOGONXMXup%2B0%3D")]
+    [InlineData("https://t3a00c49dev02arg01sa01.blob.core.windows.net/migration-archives-a9fd67c9-e987-4b3e-9cf2-439a95b7f275/f4e871a0-3214-4f94-a82b-8937cece6234.tar?sig=y1rXBOGONXMXup%2B0%3D&sv=2023-11-03&se=2025-04-10T22%3A32%3A24Z&sr=b&sp=r")]
+    public void Azure_SAS_URL_Sig_Parameter_Should_Be_Redacted_In_Logs_And_Console(string sasUrl)
+    {
+        const string sig = "y1rXBOGONXMXup%2B0%3D";
+        // Belt and suspenders
+        sasUrl.Should().Contain(sig);
+
+        _octoLogger.Verbose = false;
+        _octoLogger.LogInformation($"Archive (metadata) download url: {sasUrl}");
+        _octoLogger.LogVerbose($"Archive (metadata) download url: {sasUrl}");
+        _octoLogger.LogWarning($"Archive (metadata) download url: {sasUrl}");
+        _octoLogger.LogSuccess($"Archive (metadata) download url: {sasUrl}");
+        _octoLogger.LogError($"Archive (metadata) download url: {sasUrl}");
+        _octoLogger.LogError(new OctoshiftCliException($"Archive (metadata) download url: {sasUrl}"));
+        _octoLogger.LogError(new InvalidOperationException($"Archive (metadata) download url: {sasUrl}"));
+
+        _octoLogger.Verbose = true;
+        _octoLogger.LogVerbose($"Archive (metadata) download url: {sasUrl}");
+
+        _consoleOutput.Should().NotContain(sasUrl);
+        _logOutput.Should().NotContain(sasUrl);
+        _verboseLogOutput.Should().NotContain(sasUrl);
+        _consoleError.Should().NotContain(sasUrl);
+
+        _consoleOutput.ToLower().Should().Contain("sig=***");
+    }
+
     [Fact]
     public void LogError_For_OctoshiftCliException_Should_Log_Exception_Message_In_Non_Verbose_Mode()
     {