Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Secrets not obfuscated? #546

Open
bakoontz2 opened this issue May 4, 2024 · 5 comments
Open

[BUG] Secrets not obfuscated? #546

bakoontz2 opened this issue May 4, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@bakoontz2
Copy link

bakoontz2 commented May 4, 2024
edited
Loading

Vault server version

v1.14.1

vault-action version

v2.5.0

Describe the bug

Secrets are not obfuscated in github logs when echo'd

To Reproduce

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    steps:
    - name: Import Secrets via Hashicorp
      id: import-secrets
      uses: hashicorp/vault-action@v2.5.0
      with:
        method: jwt
        url: https://<hostname>
        namespace: automation/some-namespace
        role: github-os_repo-secrets
        secrets: |
             secrets/data/repo-secrets DATABRICKS_JDBCURL_PROD;
             secrets/data/repo-secrets DATABRICKS_PASS_PROD;
             secrets/data/repo-secrets DATABRICKS_USER_PROD;
        tlsSkipVerify: true
    - name: Output vars
      run: |
        echo ${{ env.DATABRICKS_JDBCURL_PROD }}
        echo ${{ env.DATABRICKS_PASS_PROD }}
        echo ${{ env.DATABRICKS_USER_PROD }}

Expected behavior

The output of the three echo statements should be obfuscated.

Log Output

image

Additional info

The reason for the echo statements is to determine if secrets are empty. But I would expect just some content (***), and not the entire string to be visible.
@bakoontz2 bakoontz2 added the bug Something isn't working label May 4, 2024
@fairclothjm
Copy link
Contributor

@bakoontz2 Thanks for reporting. However, I am unable to reproduce the issue. Can you please confirm that the repro steps you provided above are exactly what produced the result in your screenshot?

v2.5.0 is a little out of date at this point. Can you please try upgrading to v3 and see if you still see the issue? Thanks

@bakoontz2
Copy link
Author

No problem, let me try with the latest version and I'll report back.

@bakoontz2
Copy link
Author

bakoontz2 commented May 6, 2024
edited
Loading

OK, I updated to v3.0.0, and the issue is still there.

However, I noticed that if I wrap the echo arguments in quotes, the secret is no longer exposed:

    - name: Output vars
      run: |
        echo "${{ env.DATABRICKS_JDBCURL_PROD }}"
        echo "${{ env.DATABRICKS_PASS_PROD }}"
        echo "${{ env.DATABRICKS_USER_PROD }}"

image

So perhaps this is a github issue, masking behavior affected by whether or not a variable is being quoted?

@fairclothjm
Copy link
Contributor

fairclothjm commented May 6, 2024
edited
Loading

@bakoontz2 Hello, thanks for the information. We recommend taking extra precaution when printing secrets like this and use masking. There are ways of extracting secrets even when using masking so please ensure you trust your workflow authors.

@xmabry
Copy link

xmabry commented Sep 12, 2024

Just wanted to find out if there's any additional updates that are planned to be made to try to add in an extra layer of masking because using the latest version I was able to use the {{ env.secret }} with it masking, but when I'm doing a multi line secret pull from Vault if I reference it from a job output {{ steps.import-secrets.outputs.secret }} I'm also seeing it unmasked in that format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fairclothjm @xmabry @bakoontz2