actions/vault-action
5
0
Fork 0
mirror of https://github.com/hashicorp/vault-action.git synced 2025-11-07 15:16:56 +00:00
Code Activity Actions

Mask each line of multi-line secrets (#208)

Browse source 
* Mask each line of multi-line secrets

* Don't include carriage return characters in masking

* Update CHANGELOG.md
This commit is contained in:
Tom Proctor 2021-05-05 11:54:07 +01:00 committed by GitHub
parent f60544fbda
commit 3526e1be65
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 46 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -1,5 +1,8 @@
## Unreleased ## Unreleased
Security:
* multi-line secrets are now properly masked in logs [GH-208](https://github.com/hashicorp/vault-action/pull/208)
Features: Features:
* JWT auth method is now supported [GH-188](https://github.com/hashicorp/vault-action/pull/188) * JWT auth method is now supported [GH-188](https://github.com/hashicorp/vault-action/pull/188)

8
src/action.js
View file

@ -77,8 +77,12 @@ async function exportSecrets() {
const { value, request, cachedResponse } = result; const { value, request, cachedResponse } = result;
if (cachedResponse) { if (cachedResponse) {
core.debug(' using cached response'); core.debug(' using cached response');
} }
command.issue('add-mask', value); for (const line of value.replace(/\r/g, '').split('\n')) {
if (line.length > 0) {
command.issue('add-mask', line);
}
}
if (exportEnv) { if (exportEnv) {
core.exportVariable(request.envVarName, `${value}`); core.exportVariable(request.envVarName, `${value}`);
} }

37
src/action.test.js
View file

@ -2,6 +2,7 @@ jest.mock('got');
jest.mock('@actions/core'); jest.mock('@actions/core');
jest.mock('@actions/core/lib/command'); jest.mock('@actions/core/lib/command');
const command = require('@actions/core/lib/command');
const core = require('@actions/core'); const core = require('@actions/core');
const got = require('got'); const got = require('got');
const { const {
@ -294,4 +295,40 @@ describe('exportSecrets', () => {
expect(core.exportVariable).toBeCalledWith('KEY', '1'); expect(core.exportVariable).toBeCalledWith('KEY', '1');
expect(core.setOutput).toBeCalledWith('key', '1'); expect(core.setOutput).toBeCalledWith('key', '1');
}); });
it('single-line secret gets masked', async () => {
mockInput('test key');
mockVaultData({
key: 'secret'
});
mockExportToken("false")
await exportSecrets();
expect(command.issue).toBeCalledTimes(1);
expect(command.issue).toBeCalledWith('add-mask', 'secret');
expect(core.setOutput).toBeCalledWith('key', 'secret');
})
it('multi-line secret gets masked for each line', async () => {
const multiLineString = `a multi-line string
with blank lines
`
mockInput('test key');
mockVaultData({
key: multiLineString
});
mockExportToken("false")
await exportSecrets();
expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
expect(core.setOutput).toBeCalledWith('key', multiLineString);
})
}); });