From d3f25bac799bb290b17264ed965452d6cee93ace Mon Sep 17 00:00:00 2001 From: Michael Heap Date: Wed, 13 May 2020 23:22:31 +0100 Subject: [PATCH] Mask secrets in job output (#231) Previously secrets would be shown in log output as provided. This commit updates the stepLogFormatter to replace any instance of the secret string with "***", as GitHub Actions would Known issues: If the secret is a generic string (such as "docker"), all occurances of that string will be replaced in the output Co-authored-by: Casey Lee --- pkg/runner/logger.go | 11 +++++++++-- pkg/runner/runner.go | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/pkg/runner/logger.go b/pkg/runner/logger.go index c1ace20..89d85f4 100644 --- a/pkg/runner/logger.go +++ b/pkg/runner/logger.go @@ -38,11 +38,12 @@ func init() { } // WithJobLogger attaches a new logger to context that is aware of steps -func WithJobLogger(ctx context.Context, jobName string) context.Context { +func WithJobLogger(ctx context.Context, jobName string, secrets map[string]string) context.Context { mux.Lock() defer mux.Unlock() formatter := new(stepLogFormatter) formatter.color = colors[nextColor%len(colors)] + formatter.secrets = secrets nextColor++ logger := logrus.New() @@ -55,12 +56,18 @@ func WithJobLogger(ctx context.Context, jobName string) context.Context { } type stepLogFormatter struct { - color int + color int + secrets map[string]string } func (f *stepLogFormatter) Format(entry *logrus.Entry) ([]byte, error) { b := &bytes.Buffer{} + // Replace any secrets in the entry + for _, v := range f.secrets { + entry.Message = strings.ReplaceAll(entry.Message, v, "***") + } + if f.isColored(entry) { f.printColored(b, entry) } else { diff --git a/pkg/runner/runner.go b/pkg/runner/runner.go index 8351720..54a4705 100644 --- a/pkg/runner/runner.go +++ b/pkg/runner/runner.go @@ -73,7 +73,7 @@ func (runner *runnerImpl) NewPlanExecutor(plan *model.Plan) common.Executor { } stageExecutor = append(stageExecutor, func(ctx context.Context) error { jobName := fmt.Sprintf("%-*s", maxJobNameLen, rc.String()) - return rc.Executor()(WithJobLogger(ctx, jobName)) + return rc.Executor()(WithJobLogger(ctx, jobName, rc.Config.Secrets)) }) } }