Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build
output is non-empty, goreleaser leaks the environment.
PoC
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete
$GOPATH/pkg
).
- Make sure to have secrets set in the environment
- Make sure to not have
go mod tidy
in a before hook
- Run
goreleaser release --clean
- Go prints lots of
go: downloading ...
lines, which triggers the "if output not empty, log it" line, which includes the environment.
Impact
Credentials and tokens are leaked.
Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the
go build
output is non-empty, goreleaser leaks the environment.PoC
$GOPATH/pkg
).go mod tidy
in a before hookgoreleaser release --clean
go: downloading ...
lines, which triggers the "if output not empty, log it" line, which includes the environment.Impact
Credentials and tokens are leaked.