When inferring additional secrets from multi-line content, ignore very short lines.

src/Runner.Worker/ActionCommandManager.cs

@@ -405,8 +405,9 @@ namespace GitHub.Runner.Worker
                 Trace.Info($"Add new secret mask with length of {command.Data.Length}");
 
                 // Also add each individual line. Typically individual lines are processed from STDOUT of child processes.
-                var split = command.Data.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+                var auxiliarySecrets = command.Data.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
-                foreach (var item in split)
+                                                   .Where(candidate => candidate.Length >= HostContext.SecretMasker.DerivedSecretRecommendedMinimumLength);
+                foreach (var item in auxiliarySecrets)
                 {
                     HostContext.SecretMasker.AddValue(item);
                 }

src/Runner.Worker/Worker.cs

@@ -3,10 +3,10 @@ using Pipelines = GitHub.DistributedTask.Pipelines;
 using GitHub.Runner.Common.Util;
 using Newtonsoft.Json;
 using System;
+using System.Linq;
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
-using GitHub.Services.WebApi;
 using GitHub.Runner.Common;
 using GitHub.Runner.Sdk;
 using System.Text;
@@ -156,8 +156,9 @@ namespace GitHub.Runner.Worker
                     HostContext.SecretMasker.AddValue(value);
 
                     // Also add each individual line. Typically individual lines are processed from STDOUT of child processes.
-                    var split = value.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+                    var auxiliarySecrets = value.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
-                    foreach (var item in split)
+                                                .Where(candidate => candidate.Length >= HostContext.SecretMasker.DerivedSecretRecommendedMinimumLength);
+                    foreach (var item in auxiliarySecrets)
                     {
                         HostContext.SecretMasker.AddValue(item);
                     }

src/Sdk/DTLogging/Logging/ISecretMasker.cs

@@ -6,6 +6,7 @@ namespace GitHub.DistributedTask.Logging
     [EditorBrowsable(EditorBrowsableState.Never)]
     public interface ISecretMasker
     {
+        int DerivedSecretRecommendedMinimumLength { get; }
         void AddRegex(String pattern);
         void AddValue(String value);
         ISecretMasker Clone();

src/Sdk/DTLogging/Logging/SecretMasker.cs

@@ -40,6 +40,19 @@ namespace GitHub.DistributedTask.Logging
             }
         }
 
+        /// <summary>
+        /// Provide callers with a recommendation on what to consider a secret.
+        /// This is helpful in cases where JSON (for example) is broken into multiple lines
+        /// and we don't want to start treating standalone JSON control characters as secrets.
+        /// </summary>
+        public int DerivedSecretRecommendedMinimumLength
+        {
+            get
+            {
+                return 3;
+            }
+        }
+
         /// <summary>
         /// This implementation assumes no more than one thread is adding regexes, values, or encoders at any given time.
         /// </summary>