Register credentials extracted from proxy configuration as secrets #2930
Conversation
There was a problem hiding this comment.
Pull Request Overview
Registers credentials extracted from proxy configurations as GitHub Actions secrets to prevent accidental leakage in logs.
- Imports
@actions/coreand invokescore.setSecreton any extractedpasswordortoken. - Mirrors the secret-masking logic in the compiled JavaScript output.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/start-proxy.ts | Imported @actions/core and added core.setSecret calls for password/token |
| lib/start-proxy.js | Added secret registration logic in the compiled start-proxy.js |
Comments suppressed due to low confidence (1)
src/start-proxy.ts:69
- Consider adding unit tests to verify that
core.setSecretis called when credentials include a password or token, ensuring secrets are properly masked in logs.
if (e.password !== undefined) {
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -63,6 +65,14 @@ | |||
|
|
|||
| const out: Credential[] = []; | |||
| for (const e of parsed) { | |||
| // Mask credentials to reduce change of accidental leakage in logs. | |||
| if (e.password !== undefined) { | |||
| core.setSecret(e.password); | |||
Check failure
Code scanning / CodeQL
Untrusted data passed to external API with additional heuristic sources High Experimental
mbg
force-pushed
the
mbg/start-proxy/mask-tokens
branch
from
dba74ad to
bbab102
Compare
| @@ -63,6 +65,14 @@ export function getCredentials( | |||
|
|
|||
| const out: Credential[] = []; | |||
| for (const e of parsed) { | |||
| // Mask credentials to reduce chance of accidental leakage in logs. | |||
| if (e.password !== undefined) { | |||
There was a problem hiding this comment.
Consider testing for null as well to guard against future changes. Better safe than sorry in these cases...
There was a problem hiding this comment.
I don't disagree, but we don't seem to check for null anywhere else (including elsewhere here where we inspect other members of the same JSON object).
I think we can do a much better job at validating the JSON value we get in general (e.g. check that it actually is an array, rather than just assuming it), but that may be a larger chunk of work. I am not sure if it makes sense to change this one now and not the others - what do you think?
There was a problem hiding this comment.
Hmm, good question. I was about to write that it is probably more important to be consistent and make a sweep later with proper validation.
But: What is the impact if the structure of the JSON changes and makes our assumptions false in other places vs. here? In other places something might just crash, which we can hopefully detect and fix, but here we risk leaking secrets.
Your call though, as I haven't looked at the other places, and don't know the severity of the potential leak...
This will cause the credentials extracted from the proxy configurations to subsequently be masked in the Actions log, reducing the probability of accidental leakage.
Merge / deployment checklist