-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Secrets not obfuscated? #546
Comments
@bakoontz2 Thanks for reporting. However, I am unable to reproduce the issue. Can you please confirm that the repro steps you provided above are exactly what produced the result in your screenshot? v2.5.0 is a little out of date at this point. Can you please try upgrading to v3 and see if you still see the issue? Thanks |
No problem, let me try with the latest version and I'll report back. |
OK, I updated to v3.0.0, and the issue is still there. However, I noticed that if I wrap the echo arguments in quotes, the secret is no longer exposed:
So perhaps this is a github issue, masking behavior affected by whether or not a variable is being quoted? |
@bakoontz2 Hello, thanks for the information. We recommend taking extra precaution when printing secrets like this and use masking. There are ways of extracting secrets even when using masking so please ensure you trust your workflow authors. |
Just wanted to find out if there's any additional updates that are planned to be made to try to add in an extra layer of masking because using the latest version I was able to use the {{ env.secret }} with it masking, but when I'm doing a multi line secret pull from Vault if I reference it from a job output {{ steps.import-secrets.outputs.secret }} I'm also seeing it unmasked in that format. |
Vault server version
v1.14.1
vault-action version
v2.5.0
Describe the bug
Secrets are not obfuscated in github logs when echo'd
To Reproduce
Expected behavior
The output of the three echo statements should be obfuscated.
Log Output
Additional info
The reason for the echo statements is to determine if secrets are empty. But I would expect just some content (***), and not the entire string to be visible.
The text was updated successfully, but these errors were encountered: