masks the whole URL, update tests

actions · Mar 10, 2025 · 47c4fa8 · 47c4fa8
1 parent 1cd2f8a
commit 47c4fa8
Show file tree

Hide file tree

Showing 6 changed files with 217 additions and 132 deletions.
diff --git a/packages/artifact/__tests__/artifactTwirpClient.test.ts b/packages/artifact/__tests__/artifactTwirpClient.test.ts
@@ -1,9 +1,6 @@
 import {ArtifactHttpClient} from '../src/internal/shared/artifact-twirp-client'
-import {setSecret, debug} from '@actions/core'
-import {
-  CreateArtifactResponse,
-  GetSignedArtifactURLResponse
-} from '../src/generated/results/api/v1/artifact'
+import {setSecret} from '@actions/core'
+import {CreateArtifactResponse} from '../src/generated/results/api/v1/artifact'
 
 jest.mock('@actions/core', () => ({
   setSecret: jest.fn(),
@@ -26,70 +23,101 @@ describe('ArtifactHttpClient', () => {
     delete process.env['ACTIONS_RESULTS_URL']
   })
 
+  describe('maskSigUrl', () => {
+    it('should mask the sig parameter and set it as a secret', () => {
+      const url =
+        'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+
+      const maskedUrl = client.maskSigUrl(url)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(maskedUrl).toBe(
+        'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      )
+    })
+
+    it('should return the original URL if no sig parameter is found', () => {
+      const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'
+
+      const maskedUrl = client.maskSigUrl(url)
+
+      expect(setSecret).not.toHaveBeenCalled()
+      expect(maskedUrl).toBe(url)
+    })
+
+    it('should handle sig parameter at the end of the URL', () => {
+      const url = 'https://example.com/upload?param1=value&sig=secret-token'
+
+      const maskedUrl = client.maskSigUrl(url)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
+    })
+
+    it('should handle sig parameter in the middle of the URL', () => {
+      const url = 'https://example.com/upload?sig=secret-token&param2=value'
+
+      const maskedUrl = client.maskSigUrl(url)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
+      expect(maskedUrl).toBe('https://example.com/upload?sig=***')
+    })
+  })
+
   describe('maskSecretUrls', () => {
     it('should mask signed_upload_url', () => {
-      const response: CreateArtifactResponse = {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const response = {
         ok: true,
-        signedUploadUrl:
+        signed_upload_url:
           'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
       }
 
       client.maskSecretUrls(response)
 
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
       )
     })
 
     it('should mask signed_download_url', () => {
-      const response: GetSignedArtifactURLResponse = {
-        signedUrl:
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const response = {
+        signed_url:
           'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
       }
 
       client.maskSecretUrls(response)
 
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
       )
     })
 
-    it('should not call setSecret if URLs are missing', () => {
+    it('should not call maskSigUrl if URLs are missing', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
       const response = {} as CreateArtifactResponse
 
       client.maskSecretUrls(response)
 
-      expect(setSecret).not.toHaveBeenCalled()
+      expect(spy).not.toHaveBeenCalled()
     })
 
-    it('should mask only the sensitive token part of signed_upload_url', () => {
-      const response: CreateArtifactResponse = {
-        ok: true,
-        signedUploadUrl:
-          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+    it('should handle both URL types when present', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const response = {
+        signed_upload_url: 'https://example.com/upload?sig=secret-token1',
+        signed_url: 'https://example.com/download?sig=secret-token2'
       }
 
       client.maskSecretUrls(response)
 
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledTimes(2)
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/upload?sig=secret-token1'
       )
-    })
-
-    it('should mask only the sensitive token part of signed_download_url', () => {
-      const response: GetSignedArtifactURLResponse = {
-        signedUrl:
-          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
-      }
-
-      client.maskSecretUrls(response)
-
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/download?sig=secret-token2'
       )
     })
   })

diff --git a/packages/artifact/src/internal/shared/artifact-twirp-client.ts b/packages/artifact/src/internal/shared/artifact-twirp-client.ts
@@ -5,10 +5,6 @@ import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
 import {getUserAgentString} from './user-agent'
 import {NetworkError, UsageError} from './errors'
-import {
-  CreateArtifactResponse,
-  GetSignedArtifactURLResponse
-} from '../../generated/results/api/v1/artifact'
 
 // The twirp http client must implement this interface
 interface Rpc {
@@ -77,24 +73,32 @@ export class ArtifactHttpClient implements Rpc {
   /**
    * Masks the `sig` parameter in a URL and sets it as a secret.
    * @param url The URL containing the `sig` parameter.
-   * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url').
+   * @returns A masked URL where the sig parameter value is replaced with '***' if found,
+   *          or the original URL if no sig parameter is present.
    */
-  maskSigUrl(url: string, urlType: string): void {
-    const sigMatch = url.match(/[?&]sig=([^&]+)/)
-    if (sigMatch) {
-      setSecret(sigMatch[1])
-      debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`)
+  maskSigUrl(url: string): string {
+    const sigIndex = url.indexOf('sig=')
+    if (sigIndex !== -1) {
+      const sigValue = url.substring(sigIndex + 4)
+      setSecret(sigValue)
+      return `${url.substring(0, sigIndex + 4)}***`
     }
+    return url
   }
 
-  maskSecretUrls(
-    body: CreateArtifactResponse | GetSignedArtifactURLResponse
-  ): void {
-    if ('signedUploadUrl' in body && body.signedUploadUrl) {
-      this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url')
-    }
-    if ('signedUrl' in body && body.signedUrl) {
-      this.maskSigUrl(body.signedUrl, 'signed_url')
+  maskSecretUrls(body): void {
+    if (typeof body === 'object' && body !== null) {
+      if (
+        'signed_upload_url' in body &&
+        typeof body.signed_upload_url === 'string'
+      ) {
+        this.maskSigUrl(body.signed_upload_url)
+      }
+      if ('signed_url' in body && typeof body.signed_url === 'string') {
+        this.maskSigUrl(body.signed_url)
+      }
+    } else {
+      debug('body is not an object or is null')
     }
   }
 

diff --git a/packages/cache/__tests__/cacheTwirpClient.test.ts b/packages/cache/__tests__/cacheTwirpClient.test.ts
@@ -1,9 +1,5 @@
-import {
-  CreateCacheEntryResponse,
-  GetCacheEntryDownloadURLResponse
-} from '../src/generated/results/api/v1/cache'
 import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
-import {setSecret, debug} from '@actions/core'
+import {setSecret} from '@actions/core'
 
 jest.mock('@actions/core', () => ({
   setSecret: jest.fn(),
@@ -24,75 +20,106 @@ describe('CacheServiceClient', () => {
     delete process.env['ACTIONS_RUNTIME_TOKEN']
   })
 
-  describe('maskSecretUrls', () => {
-    it('should mask signedUploadUrl', () => {
-      const response = {
-        ok: true,
-        signedUploadUrl:
-          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
-      } as CreateCacheEntryResponse
+  describe('maskSigUrl', () => {
+    it('should mask the sig parameter and set it as a secret', () => {
+      const url =
+        'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
 
-      client.maskSecretUrls(response)
+      const maskedUrl = client.maskSigUrl(url)
 
       expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(maskedUrl).toBe(
+        'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
       )
     })
 
-    it('should mask signedDownloadUrl', () => {
-      const response = {
-        ok: true,
-        signedDownloadUrl:
-          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
-        matchedKey: 'cache-key'
-      } as GetCacheEntryDownloadURLResponse
+    it('should return the original URL if no sig parameter is found', () => {
+      const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'
+
+      const maskedUrl = client.maskSigUrl(url)
+
+      expect(setSecret).not.toHaveBeenCalled()
+      expect(maskedUrl).toBe(url)
+    })
+
+    it('should handle sig parameter at the end of the URL', () => {
+      const url = 'https://example.com/upload?param1=value&sig=secret-token'
 
-      client.maskSecretUrls(response)
+      const maskedUrl = client.maskSigUrl(url)
 
       expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
-      )
+      expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
     })
 
-    it('should not call setSecret if URLs are missing', () => {
-      const response = {ok: true} as CreateCacheEntryResponse
+    it('should handle sig parameter in the middle of the URL', () => {
+      const url = 'https://example.com/upload?sig=secret-token&param2=value'
 
-      client.maskSecretUrls(response)
+      const maskedUrl = client.maskSigUrl(url)
 
-      expect(setSecret).not.toHaveBeenCalled()
+      expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
+      expect(maskedUrl).toBe('https://example.com/upload?sig=***')
+    })
+  })
+
+  describe('maskSecretUrls', () => {
+    it('should mask signed_upload_url', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const body = {
+        signed_upload_url: 'https://example.com/upload?sig=secret-token',
+        key: 'test-key',
+        version: 'test-version'
+      }
+
+      client.maskSecretUrls(body)
+
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/upload?sig=secret-token'
+      )
     })
 
-    it('should mask only the sensitive token part of signedUploadUrl', () => {
-      const response = {
-        ok: true,
-        signedUploadUrl:
-          'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
-      } as CreateCacheEntryResponse
+    it('should mask signed_download_url', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const body = {
+        signed_download_url: 'https://example.com/download?sig=secret-token',
+        key: 'test-key',
+        version: 'test-version'
+      }
 
-      client.maskSecretUrls(response)
+      client.maskSecretUrls(body)
 
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/download?sig=secret-token'
       )
     })
 
-    it('should mask only the sensitive token part of signedDownloadUrl', () => {
-      const response = {
-        ok: true,
-        signedDownloadUrl:
-          'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
-        matchedKey: 'cache-key'
-      } as GetCacheEntryDownloadURLResponse
+    it('should mask both URLs when both are present', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const body = {
+        signed_upload_url: 'https://example.com/upload?sig=secret-token1',
+        signed_download_url: 'https://example.com/download?sig=secret-token2'
+      }
 
-      client.maskSecretUrls(response)
+      client.maskSecretUrls(body)
 
-      expect(setSecret).toHaveBeenCalledWith('secret-token')
-      expect(debug).toHaveBeenCalledWith(
-        'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
+      expect(spy).toHaveBeenCalledTimes(2)
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/upload?sig=secret-token1'
       )
+      expect(spy).toHaveBeenCalledWith(
+        'https://example.com/download?sig=secret-token2'
+      )
+    })
+
+    it('should not call maskSigUrl when URLs are missing', () => {
+      const spy = jest.spyOn(client, 'maskSigUrl')
+      const body = {
+        key: 'test-key',
+        version: 'test-version'
+      }
+
+      client.maskSecretUrls(body)
+
+      expect(spy).not.toHaveBeenCalled()
     })
   })
 })