Mask secrets in job output (#231)

Previously secrets would be shown in log output as provided. This
commit updates the stepLogFormatter to replace any instance of the secret
string with "***", as GitHub Actions would

Known issues: If the secret is a generic string (such as "docker"), all
occurances of that string will be replaced in the output

Co-authored-by: Casey Lee <cplee@nektos.com>
This commit is contained in:
Michael Heap 2020-05-13 23:22:31 +01:00 committed by GitHub
parent a5e86bd024
commit d3f25bac79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 3 deletions

View file

@ -38,11 +38,12 @@ func init() {
}
// WithJobLogger attaches a new logger to context that is aware of steps
func WithJobLogger(ctx context.Context, jobName string) context.Context {
func WithJobLogger(ctx context.Context, jobName string, secrets map[string]string) context.Context {
mux.Lock()
defer mux.Unlock()
formatter := new(stepLogFormatter)
formatter.color = colors[nextColor%len(colors)]
formatter.secrets = secrets
nextColor++
logger := logrus.New()
@ -55,12 +56,18 @@ func WithJobLogger(ctx context.Context, jobName string) context.Context {
}
type stepLogFormatter struct {
color int
color int
secrets map[string]string
}
func (f *stepLogFormatter) Format(entry *logrus.Entry) ([]byte, error) {
b := &bytes.Buffer{}
// Replace any secrets in the entry
for _, v := range f.secrets {
entry.Message = strings.ReplaceAll(entry.Message, v, "***")
}
if f.isColored(entry) {
f.printColored(b, entry)
} else {

View file

@ -73,7 +73,7 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor {
}
stageExecutor = append(stageExecutor, func(ctx context.Context) error {
jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String())
return rc.Executor()(WithJobLogger(ctx, jobName))
return rc.Executor()(WithJobLogger(ctx, jobName, rc.Config.Secrets))
})
}
}