From b772be7131102d2c19a745811a569cd4ff1cbced Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Fri, 3 Oct 2025 08:22:06 +0000 Subject: [PATCH] fix(security): a multiline secret may be found in a single log entry (#1051) With secrets.MULTILINE set to ``` ABC DEF GHI ``` the following is logged in debug mode: ``` 2025-09-18T10:54:04.4656189Z expression '${{ secrets.MULTILINE }}' rewritten to 'format('{0}', secrets.MULTILINE)' 2025-09-18T10:54:04.4656426Z evaluating expression 'format('{0}', secrets.MULTILINE)' 2025-09-18T10:54:04.4656797Z expression 'format('{0}', secrets.MULTILINE)' evaluated to '%!t(string=ABC\nDEF\nGHI)' ``` Although it is displayed with \ followed by n, it is a single line entry displayed with the secret verbatim and must also be redacted. - bug fixes - [PR](https://code.forgejo.org/forgejo/runner/pulls/1051): fix(security): a multiline secret may be found in a single log entry Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1051 Reviewed-by: Michael Kriese Co-authored-by: Earl Warren Co-committed-by: Earl Warren --- internal/pkg/report/mask.go | 2 +- internal/pkg/report/mask_test.go | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/internal/pkg/report/mask.go b/internal/pkg/report/mask.go index 2ae19b8f..3dbb6f42 100644 --- a/internal/pkg/report/mask.go +++ b/internal/pkg/report/mask.go @@ -38,7 +38,7 @@ func (o *masker) add(secret string) { }) // a multiline secret transformed into a single line by replacing // newlines with \ followed by n must also be redacted - secret = strings.Join(lines, "\\n") + o.lines = append(o.lines, strings.Join(lines, "\\n")) } o.lines = append(o.lines, secret) diff --git a/internal/pkg/report/mask_test.go b/internal/pkg/report/mask_test.go index 8f26e698..b785c4dc 100644 --- a/internal/pkg/report/mask_test.go +++ b/internal/pkg/report/mask_test.go @@ -7,6 +7,8 @@ import ( "fmt" "testing" + runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1" + "github.com/stretchr/testify/assert" ) @@ -267,4 +269,17 @@ SIX` assert.Equal(t, testCase.out, rowsToString(rows)) }) } + + t.Run("MultilineSecretInSingleRow", func(t *testing.T) { + secret := "ABC\nDEF\nGHI" + m := newMasker() + m.add(secret) + rows := []*runnerv1.LogRow{ + {Content: fmt.Sprintf("BEFORE%sAFTER", secret)}, + } + noMore := false + needMore := m.replace(rows, noMore) + assert.False(t, needMore) + assert.Equal(t, "BEFORE***AFTER\n", rowsToString(rows)) + }) }