oss/forgejo-runner
oss/forgejo-runner
1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-10-20 19:52:06 +00:00
Code Wiki Activity

fix(security): a multiline secret may be found in a single log entry (#1051)

Browse source 
With secrets.MULTILINE set to

```
ABC
DEF
GHI
```

the following is logged in debug mode:

```
2025-09-18T10:54:04.4656189Z expression '${{ secrets.MULTILINE }}' rewritten to 'format('{0}', secrets.MULTILINE)'
2025-09-18T10:54:04.4656426Z evaluating expression 'format('{0}', secrets.MULTILINE)'
2025-09-18T10:54:04.4656797Z expression 'format('{0}', secrets.MULTILINE)' evaluated to '%!t(string=ABC\nDEF\nGHI)'
```

Although it is displayed with \ followed by n, it is a single line entry displayed with the secret verbatim and must also be redacted.

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1051): <!--number 1051 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogYSBtdWx0aWxpbmUgc2VjcmV0IG1heSBiZSBmb3VuZCBpbiBhIHNpbmdsZSBsb2cgZW50cnk=-->fix(security): a multiline secret may be found in a single log entry<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1051
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This commit is contained in:
Earl Warren 2025-10-03 08:22:06 +00:00 committed by earl-warren
parent 63351343ba
commit b772be7131
No known key found for this signature in database
GPG key ID: F128CBE6AB3A7201
2 changed files with 16 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
internal/pkg/report/mask.go
View file

@ -38,7 +38,7 @@ func (o *masker) add(secret string) {
}) })
// a multiline secret transformed into a single line by replacing // a multiline secret transformed into a single line by replacing
// newlines with \ followed by n must also be redacted // newlines with \ followed by n must also be redacted
secret = strings.Join(lines, "\\n") o.lines = append(o.lines, strings.Join(lines, "\\n"))
} }
o.lines = append(o.lines, secret) o.lines = append(o.lines, secret)

15
internal/pkg/report/mask_test.go
View file

@ -7,6 +7,8 @@ import (
"fmt" "fmt"
"testing" "testing"
runnerv1 "code.forgejo.org/forgejo/actions-proto/runner/v1"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
) )
@ -267,4 +269,17 @@ SIX`
assert.Equal(t, testCase.out, rowsToString(rows)) assert.Equal(t, testCase.out, rowsToString(rows))
}) })
} }
t.Run("MultilineSecretInSingleRow", func(t *testing.T) {
secret := "ABC\nDEF\nGHI"
m := newMasker()
m.add(secret)
rows := []*runnerv1.LogRow{
{Content: fmt.Sprintf("BEFORE%sAFTER", secret)},
}
noMore := false
needMore := m.replace(rows, noMore)
assert.False(t, needMore)
assert.Equal(t, "BEFORE***AFTER\n", rowsToString(rows))
})
} }