multiline secrets are not sanitized #57

New issue

Open

opened 2023-07-18 14:44:43 +00:00 by earl-warren · 1 comment

earl-warren commented 2023-07-18 14:44:43 +00:00

Owner

Copy link

Steps to reproduce:

• Create a secret with two lines (ONE TWO)
• Run the workflow

  on: [push]
  jobs:
    test:
      runs-on: docker
      steps:
        - run: |
              set -x
              echo ">>>${{ secrets.MULTILINELEAK }}<<<"            
  

• See the secret displayed
  

Steps to reproduce: * Create a secret with two lines (ONE TWO) * Run the workflow ```yaml on: [push] jobs: test: runs-on: docker steps: - run: | set -x echo ">>>${{ secrets.MULTILINELEAK }}<<<" ``` * See the secret displayed 

image.png

25 KiB

👍 1

earl-warren added the

Kind/Bug

Priority

Critical

labels 2023-07-18 14:44:43 +00:00

earl-warren commented 2023-07-22 06:58:19 +00:00

Author

Owner

Copy link

In ACT

• https://github.com/nektos/act/blob/master/pkg/runner/testdata/mask-values has some test data on how secrets are sanitized
• https://github.com/nektos/act/blob/master/pkg/runner/logger.go#L146 the function doing the masking

In the runner

• https://code.forgejo.org/forgejo/runner/src/branch/main/internal/pkg/report/reporter.go#L425-L428

There may be a regression / inconsistency there.

In ACT * https://github.com/nektos/act/blob/master/pkg/runner/testdata/mask-values has some test data on how secrets are sanitized * https://github.com/nektos/act/blob/master/pkg/runner/logger.go#L146 the function doing the masking In the runner * https://code.forgejo.org/forgejo/runner/src/branch/main/internal/pkg/report/reporter.go#L425-L428 There may be a regression / inconsistency there.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

wip-config

2023-05-22-main-before-force-push

2023-04-30-main-before-force-push

v3.4.1

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.5.0

v2.4.0

v2.3.0

v2.2.0

v2.1.0

v2.0.4

v2.0.3

v2.0.2

v1.5.0

v2.0.1

v2.0.0

v1.8.1

v1.8.0

v1.7.0

v1.6.0

v1.4.3

v1.4.2

v1.4.1

v1.3.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v0.0.1

v1.0.1

v1.0.0

Labels

Clear labels   

Kind/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Kind/Breaking

Kind/Bug

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo/runner#57

No description provided.