add-mask is leaking a secret in master if debug or ::echo::on is set #158
Conversation
thboop
changed the title
| } | ||
|
|
||
| context.Error($"Unable to process command '{input}' successfully."); | ||
| var commandInformation = extension.OmitEcho ? extension.Command : input; |
There was a problem hiding this comment.
if the omit echo command crashes or otherwise fails, we should only log the command name not the entire command
| @@ -404,6 +405,7 @@ private static class RemoveMatcherCommandProperties | |||
| public sealed class DebugCommandExtension : RunnerService, IActionCommandExtension | |||
| { | |||
| public string Command => "debug"; | |||
| public bool OmitEcho => false; | |||
There was a problem hiding this comment.
Debug, Error, and Warning could be a candidate for ignoring echos (as they did previously), but they are commands and I feel like they should have both their command echo and their outputs appear in the logs.
The ADR specified all commands would work the same way, but we are breaking that for add-mask at the moment due to the security concerns.
There was a problem hiding this comment.
@bryanmacfarlane to weigh in
We should skip echo for debug, otherwise every debug statement gets written twice. It hinders debugging because the log is noisy and harder to read.
I would follow the same pattern for warning/error. Otherwise the message is written to the log twice. Looks silly.
There was a problem hiding this comment.
@juliobbv we will need to amend the ADR for consistency sake, we can link this discussion
There was a problem hiding this comment.
@ericsciple , this has been updated, can you take a look?
There was a problem hiding this comment.
@thboop I'll amend the ADR to reflect the add-mask, issue-command, and debug command logging behavior changes.
bryanmacfarlane
changed the title
thboop
force-pushed
the
users/thboop/OutputAfterProcessingCommand
branch
from
8b920aa
to
28ea219
Compare
|
Let's make sure this goes to master as well |
…158) * Output after processing command to avoid leaking mask * Remove extra noise output from echo changes * Omit Echoing of add-mask command * avoid echoing on debug/warning/error
…ctions#158) * Output after processing command to avoid leaking mask * Remove extra noise output from echo changes * Omit Echoing of add-mask command * avoid echoing on debug/warning/error
|
The bug is live in situation when the ::add-mask:: is the first command in a step, then the command is showed. If the command is in second and so on lines, then it is correctly not shown.
|
If debug variable is set or echo::on is used, add-mask will echo before the secret is registered and it will leak the secret. This bug did not ship and was caught in the release branch
Resolves #159, #157