Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove logging of any SAS tokens in Actions/Cache and Actions/Artifact #1982

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
+953 −8
Open

Remove logging of any SAS tokens in Actions/Cache and Actions/Artifact #1982

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
944e6b7
Add secret and signature masking for cache and artifact packages
salmanmkc Mar 6, 2025
884aa17
remove these changes
salmanmkc Mar 6, 2025
1cd2f8a
Instead of using utility method in core lib, use method in both twirp…
salmanmkc Mar 7, 2025
47c4fa8
masks the whole URL, update tests
salmanmkc Mar 10, 2025
5007821
Remove clean script
salmanmkc Mar 10, 2025
3ac34ff
Mask different situations, malformed URL, encoded, decoded, raw signa…
salmanmkc Mar 12, 2025
abd9054
Log debug error when failing to decode
salmanmkc Mar 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 124 additions & 0 deletions packages/artifact/__tests__/artifactTwirpClient.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
import {ArtifactHttpClient} from '../src/internal/shared/artifact-twirp-client'
import {setSecret} from '@actions/core'
import {CreateArtifactResponse} from '../src/generated/results/api/v1/artifact'

jest.mock('@actions/core', () => ({
setSecret: jest.fn(),
info: jest.fn(),
debug: jest.fn()
}))

describe('ArtifactHttpClient', () => {
let client: ArtifactHttpClient

beforeEach(() => {
jest.clearAllMocks()
process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token'
process.env['ACTIONS_RESULTS_URL'] = 'https://example.com'
client = new ArtifactHttpClient('test-agent')
})

afterEach(() => {
delete process.env['ACTIONS_RUNTIME_TOKEN']
delete process.env['ACTIONS_RESULTS_URL']
})

describe('maskSigUrl', () => {
it('should mask the sig parameter and set it as a secret', () => {
const url =
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe(
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})

it('should return the original URL if no sig parameter is found', () => {
const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).not.toHaveBeenCalled()
expect(maskedUrl).toBe(url)
})

it('should handle sig parameter at the end of the URL', () => {
const url = 'https://example.com/upload?param1=value&sig=secret-token'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
})

it('should handle sig parameter in the middle of the URL', () => {
const url = 'https://example.com/upload?sig=secret-token&param2=value'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
expect(maskedUrl).toBe('https://example.com/upload?sig=***')
})
})

describe('maskSecretUrls', () => {
it('should mask signed_upload_url', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const response = {
ok: true,
signed_upload_url:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
}

client.maskSecretUrls(response)

expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
)
})

it('should mask signed_download_url', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const response = {
signed_url:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
}

client.maskSecretUrls(response)

expect(spy).toHaveBeenCalledWith(
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
)
})

it('should not call maskSigUrl if URLs are missing', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const response = {} as CreateArtifactResponse

client.maskSecretUrls(response)

expect(spy).not.toHaveBeenCalled()
})

it('should handle both URL types when present', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const response = {
signed_upload_url: 'https://example.com/upload?sig=secret-token1',
signed_url: 'https://example.com/download?sig=secret-token2'
}

client.maskSecretUrls(response)

expect(spy).toHaveBeenCalledTimes(2)
expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?sig=secret-token1'
)
expect(spy).toHaveBeenCalledWith(
'https://example.com/download?sig=secret-token2'
)
})
})
})
37 changes: 35 additions & 2 deletions packages/artifact/src/internal/shared/artifact-twirp-client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
import {info, debug} from '@actions/core'
import {setSecret, info, debug} from '@actions/core'
import {ArtifactServiceClientJSON} from '../../generated'
import {getResultsServiceUrl, getRuntimeToken} from './config'
import {getUserAgentString} from './user-agent'
Expand All @@ -16,7 +16,7 @@ interface Rpc {
): Promise<object | Uint8Array>
}

class ArtifactHttpClient implements Rpc {
export class ArtifactHttpClient implements Rpc {
private httpClient: HttpClient
private baseUrl: string
private maxAttempts = 5
Expand Down Expand Up @@ -70,6 +70,38 @@ class ArtifactHttpClient implements Rpc {
}
}

/**
* Masks the `sig` parameter in a URL and sets it as a secret.
* @param url The URL containing the `sig` parameter.
* @returns A masked URL where the sig parameter value is replaced with '***' if found,
* or the original URL if no sig parameter is present.
*/
maskSigUrl(url: string): string {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of having this as a method on clients (therefore needing to export/test the entire client) how about making a singular maskSignedURLSignature utility function?

Copy link
Author

@salmanmkc salmanmkc Mar 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, tried to do that here, discussed with @Link- and was told it's ok to have duplicated code, so reverted the approach with the utility function and put it into each client. Ran into some issue with testing it locally using npm link for some reason. Logically I think it should work with the utility function in core, so open to trying that out, but hit that issue with the test saying the utility function doesn't exist, despite the compiled code showing it and the typescript compiler not complaining.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same conversation we had for cache / artifacts regarding the clients and shared components. It might not be worth it to block this small fix by a larger effort to address the use of a shared library

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't necessarily mean making it shared across packages, more of a utility function in each. Since it's on the client, we're exporting it now (for tests?). It doesn't need to be on the client class since it it doesn't use any class attributes and could be easier to test just that part.

But this is all nonblocking for the change

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay, ya that sounds like a good idea, I can put it in util.ts

const sigIndex = url.indexOf('sig=')
if (sigIndex !== -1) {
const sigValue = url.substring(sigIndex + 4)
setSecret(sigValue)
return `${url.substring(0, sigIndex + 4)}***`
}
return url
}

maskSecretUrls(body): void {
if (typeof body === 'object' && body !== null) {
if (
'signed_upload_url' in body &&
typeof body.signed_upload_url === 'string'
) {
this.maskSigUrl(body.signed_upload_url)
}
if ('signed_url' in body && typeof body.signed_url === 'string') {
this.maskSigUrl(body.signed_url)
}
} else {
debug('body is not an object or is null')
}
}

async retryableRequest(
operation: () => Promise<HttpClientResponse>
): Promise<{response: HttpClientResponse; body: object}> {
Expand All @@ -86,6 +118,7 @@ class ArtifactHttpClient implements Rpc {
debug(`[Response] - ${response.message.statusCode}`)
debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
const body = JSON.parse(rawBody)
this.maskSecretUrls(body)
debug(`Body: ${JSON.stringify(body, null, 2)}`)
if (this.isSuccessStatusCode(statusCode)) {
return {response, body}
Expand Down
125 changes: 125 additions & 0 deletions packages/cache/__tests__/cacheTwirpClient.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
import {setSecret} from '@actions/core'

jest.mock('@actions/core', () => ({
setSecret: jest.fn(),
info: jest.fn(),
debug: jest.fn()
}))

describe('CacheServiceClient', () => {
let client: CacheServiceClient

beforeEach(() => {
jest.clearAllMocks()
process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token'
client = new CacheServiceClient('test-agent')
})

afterEach(() => {
delete process.env['ACTIONS_RUNTIME_TOKEN']
})

describe('maskSigUrl', () => {
it('should mask the sig parameter and set it as a secret', () => {
const url =
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe(
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})

it('should return the original URL if no sig parameter is found', () => {
const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).not.toHaveBeenCalled()
expect(maskedUrl).toBe(url)
})

it('should handle sig parameter at the end of the URL', () => {
const url = 'https://example.com/upload?param1=value&sig=secret-token'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
})

it('should handle sig parameter in the middle of the URL', () => {
const url = 'https://example.com/upload?sig=secret-token&param2=value'

const maskedUrl = client.maskSigUrl(url)

expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
expect(maskedUrl).toBe('https://example.com/upload?sig=***')
})
})

describe('maskSecretUrls', () => {
it('should mask signed_upload_url', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
signed_upload_url: 'https://example.com/upload?sig=secret-token',
key: 'test-key',
version: 'test-version'
}

client.maskSecretUrls(body)

expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?sig=secret-token'
)
})

it('should mask signed_download_url', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
signed_download_url: 'https://example.com/download?sig=secret-token',
key: 'test-key',
version: 'test-version'
}

client.maskSecretUrls(body)

expect(spy).toHaveBeenCalledWith(
'https://example.com/download?sig=secret-token'
)
})

it('should mask both URLs when both are present', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
signed_upload_url: 'https://example.com/upload?sig=secret-token1',
signed_download_url: 'https://example.com/download?sig=secret-token2'
}

client.maskSecretUrls(body)

expect(spy).toHaveBeenCalledTimes(2)
expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?sig=secret-token1'
)
expect(spy).toHaveBeenCalledWith(
'https://example.com/download?sig=secret-token2'
)
})

it('should not call maskSigUrl when URLs are missing', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
key: 'test-key',
version: 'test-version'
}

client.maskSecretUrls(body)

expect(spy).not.toHaveBeenCalled()
})
})
})
31 changes: 25 additions & 6 deletions packages/cache/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions packages/cache/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
"semver": "^6.3.1"
},
"devDependencies": {
"@types/node": "^22.13.9",
"@types/semver": "^6.0.0",
"typescript": "^5.2.2"
}
Expand Down
Loading
Loading