From 13eb93ce12fce746faf53790212d011caf9b8ff5 Mon Sep 17 00:00:00 2001 From: rootiest Date: Mon, 8 Jun 2026 22:29:20 -0400 Subject: [PATCH] fix(sponge): escape leading -- in auth-flag pattern; purge stale -- patterns on load --- conf.d/sponge_privacy.fish | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/conf.d/sponge_privacy.fish b/conf.d/sponge_privacy.fish index e3929f4..49a1d17 100644 --- a/conf.d/sponge_privacy.fish +++ b/conf.d/sponge_privacy.fish @@ -40,7 +40,9 @@ end set -l _privacy_patterns # Common auth flags with values: --password x, --token x, --passphrase x, --api-key x -set -a _privacy_patterns '--(?:password|passwd|passphrase|token|secret|api[-_]key)(?:\s+|=)\S+' +# Use \- to avoid the pattern string starting with --, which string match +# would misinterpret as an unknown option flag. +set -a _privacy_patterns '\-\-(?:password|passwd|passphrase|token|secret|api[-_]key)(?:\s+|=)\S+' # Inline env var assignments with sensitive names: GITHUB_TOKEN=xxx, MY_API_KEY=abc set -a _privacy_patterns '(?i)\b[A-Z][A-Z0-9_]*(?:PASSWORD|PASSWD|SECRET|TOKEN|API_KEY|PRIVATE_KEY|ACCESS_KEY|AUTH_KEY|CREDENTIAL)[A-Z0-9_]*=\S+' @@ -66,6 +68,14 @@ set -a _privacy_patterns 'docker\s+login\s.*(?:-p|--password)\s+\S+' # openssl passphrase arguments: -passin pass:xxx, -passout env:VAR set -a _privacy_patterns 'openssl\s.*-pass(?:in|out)\s+\S+' +# Remove any previously stored patterns that begin with -- ; string match +# passes patterns before its own -- sentinel and would treat them as flags. +for _i in (seq (count $sponge_regex_patterns) -1 1) + if string match --quiet -- '--*' $sponge_regex_patterns[$_i] + set -Ue sponge_regex_patterns[$_i] + end +end + # Idempotent registration into universal sponge_regex_patterns for _pattern in $_privacy_patterns if not contains -- $_pattern $sponge_regex_patterns