fix: redact all private keys from config output

PR-URL: #4142
Credit: @lukekarrys
Close: #4142
Reviewed-by: @wraithgar

Author: lukekarrys

lib/commands/config.js

@@ -28,7 +28,17 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = k => !/^(\/\/[^:]+:)?_/.test(k)
+const publicVar = k => {
+  // _password
+  if (k.startsWith('_')) {
+    return false
+  }
+  // //localhost:8080/:_password
+  if (k.startsWith('//') && k.includes(':_')) {
+    return false
+  }
+  return true
+}
 
 const BaseCommand = require('../base-command.js')
 class Config extends BaseCommand {
@@ -147,7 +157,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       if (!publicVar(key)) {
-        throw `The ${key} option is protected, and cannot be retrieved in this way`
+        throw new Error(`The ${key} option is protected, and cannot be retrieved in this way`)
       }
 
       const pref = keys.length > 1 ? `${key}=` : ''

lib/utils/exit-handler.js

@@ -116,6 +116,7 @@ const exitHandler = err => {
       exitCode = err.code
       noLogMessage = true
     } else if (typeof err === 'string') {
+      // XXX: we should stop throwing strings
       log.error('', err)
       noLogMessage = true
     } else if (!(err instanceof Error)) {

test/lib/commands/config.js

@@ -333,7 +333,13 @@ t.test('config get private key', async t => {
 
   await t.rejects(
     sandbox.run('config', ['get', '_authToken']),
-    '_authToken is protected',
+    /_authToken option is protected/,
+    'rejects with protected string'
+  )
+
+  await t.rejects(
+    sandbox.run('config', ['get', '//localhost:8080/:_password']),
+    /_password option is protected/,
     'rejects with protected string'
   )
 })