Mask each line of multi-line secrets (#208)

* Mask each line of multi-line secrets * Don't include carriage return characters in masking * Update CHANGELOG.md
2025-11-07 15:16:56 +00:00 · 2021-05-05 11:54:07 +01:00 · 2021-05-05 11:54:07 +01:00 · 3526e1be65
commit 3526e1be65
parent f60544fbda
3 changed files with 46 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,8 @@
 ## Unreleased

+Security:
+* multi-line secrets are now properly masked in logs [GH-208](https://github.com/hashicorp/vault-action/pull/208)
+
 Features:
 * JWT auth method is now supported [GH-188](https://github.com/hashicorp/vault-action/pull/188)

--- a/src/action.js
+++ b/src/action.js
@ -78,7 +78,11 @@ async function exportSecrets() {
        if (cachedResponse) {
            core.debug('ℹ using cached response');
        }
-        command.issue('add-mask', value);
+        for (const line of value.replace(/\r/g, '').split('\n')) {
+            if (line.length > 0) {
+                command.issue('add-mask', line);
+            }
+        }
        if (exportEnv) {
            core.exportVariable(request.envVarName, `${value}`);
        }
--- a/src/action.test.js
+++ b/src/action.test.js
@ -2,6 +2,7 @@ jest.mock('got');
 jest.mock('@actions/core');
 jest.mock('@actions/core/lib/command');

+const command = require('@actions/core/lib/command');
 const core = require('@actions/core');
 const got = require('got');
 const {
@ -294,4 +295,40 @@ describe('exportSecrets', () => {
        expect(core.exportVariable).toBeCalledWith('KEY', '1');
        expect(core.setOutput).toBeCalledWith('key', '1');
    });
+
+    it('single-line secret gets masked', async () => {
+        mockInput('test key');
+        mockVaultData({
+            key: 'secret'
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(command.issue).toBeCalledTimes(1);
+
+        expect(command.issue).toBeCalledWith('add-mask', 'secret');
+        expect(core.setOutput).toBeCalledWith('key', 'secret');
+    })
+
+    it('multi-line secret gets masked for each line', async () => {
+        const multiLineString = `a multi-line string
+
+with blank lines
+
+`
+        mockInput('test key');
+        mockVaultData({
+            key: multiLineString
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
+
+        expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
+        expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
+        expect(core.setOutput).toBeCalledWith('key', multiLineString);
+    })
 });