1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-10-20 19:52:06 +00:00
forgejo-runner/internal/pkg
Earl Warren b772be7131
fix(security): a multiline secret may be found in a single log entry (#1051)
With secrets.MULTILINE set to

```
ABC
DEF
GHI
```

the following is logged in debug mode:

```
2025-09-18T10:54:04.4656189Z expression '${{ secrets.MULTILINE }}' rewritten to 'format('{0}', secrets.MULTILINE)'
2025-09-18T10:54:04.4656426Z evaluating expression 'format('{0}', secrets.MULTILINE)'
2025-09-18T10:54:04.4656797Z expression 'format('{0}', secrets.MULTILINE)' evaluated to '%!t(string=ABC\nDEF\nGHI)'
```

Although it is displayed with \ followed by n, it is a single line entry displayed with the secret verbatim and must also be redacted.

<!--start release-notes-assistant-->
<!--URL:https://code.forgejo.org/forgejo/runner-->
- bug fixes
  - [PR](https://code.forgejo.org/forgejo/runner/pulls/1051): <!--number 1051 --><!--line 0 --><!--description Zml4KHNlY3VyaXR5KTogYSBtdWx0aWxpbmUgc2VjcmV0IG1heSBiZSBmb3VuZCBpbiBhIHNpbmdsZSBsb2cgZW50cnk=-->fix(security): a multiline secret may be found in a single log entry<!--description-->
<!--end release-notes-assistant-->

Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1051
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
2025-10-03 08:22:06 +00:00
..
client chore: cache: generate mocks for act/artifactcache/caches.go 2025-09-05 17:30:08 +02:00
common feat: insert the daemon context in the poller context 2025-08-16 19:13:32 +02:00
config fix: modifying a cache secret does not invalidate cached entries (#1043) 2025-10-01 16:38:38 +00:00
envcheck fix: [container].docker_host = "" is now "automount" 2024-11-27 01:36:18 +00:00
labels fix: prevent space prefix/suffix in runner labels (#829) 2025-08-10 15:43:34 +00:00
report fix(security): a multiline secret may be found in a single log entry (#1051) 2025-10-03 08:22:06 +00:00
ver chore: bump version to v11 (#940) 2025-09-05 07:29:38 +00:00