don't replace sensitive data if $ sign is escaped

close #205

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>

plugin/src/main/java/io/jenkins/plugins/casc/SecretSource.java

@@ -21,7 +21,9 @@ import java.util.regex.Pattern;
 @Restricted(Beta.class)
 public abstract class SecretSource implements ExtensionPoint {
 
-    public static final Pattern SECRET_PATTERN = Pattern.compile("\\$\\{([^:\\s]*)(?::-)?([^}\\s]*)?\\}");
+    // TODO we probably will quickly reach some limits using regexp
+    // Maybe we could adopt https://github.com/AndersDJohnson/brace-expansion-java or implement something comparable
+    public static final Pattern SECRET_PATTERN = Pattern.compile("(?<!\\\\)\\$\\{([^:\\s]*)(?::-)?([^}\\s]*)?\\}");
 
     //We need to compile the matcher once for every key we examine.
     public static Optional<String> requiresReveal(String key) {

plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceTest.java

@@ -0,0 +1,29 @@
+package io.jenkins.plugins.casc;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * @author <a href="mailto:nicolas.deloof@gmail.com">Nicolas De Loof</a>
+ */
+public class SecretSourceTest {
+
+    @Test
+    public void should_detect_var() {
+        assertTrue(SecretSource.requiresReveal("${foo}").isPresent());
+    }
+
+    @Test
+    public void should_detect_var_with_default_value() {
+        assertTrue(SecretSource.requiresReveal("${foo:-bar}").isPresent());
+    }
+
+    @Test
+    public void should_not_detect_escaped_dollar() {
+        assertFalse(SecretSource.requiresReveal("\\${foo}").isPresent());
+    }
+
+
+}