[BUG] Secrets not obfuscated?
bakoontz2 opened this issue · 5 comments
Vault server version
v1.14.1
vault-action version
v2.5.0
Describe the bug
Secrets are not obfuscated in github logs when echo'd
To Reproduce
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Import Secrets via Hashicorp
id: import-secrets
uses: hashicorp/vault-action@v2.5.0
with:
method: jwt
url: https://<hostname>
namespace: automation/some-namespace
role: github-os_repo-secrets
secrets: |
secrets/data/repo-secrets DATABRICKS_JDBCURL_PROD;
secrets/data/repo-secrets DATABRICKS_PASS_PROD;
secrets/data/repo-secrets DATABRICKS_USER_PROD;
tlsSkipVerify: true
- name: Output vars
run: |
echo ${{ env.DATABRICKS_JDBCURL_PROD }}
echo ${{ env.DATABRICKS_PASS_PROD }}
echo ${{ env.DATABRICKS_USER_PROD }}
Expected behavior
The output of the three echo statements should be obfuscated.
Log Output
Additional info
The reason for the echo statements is to determine if secrets are empty. But I would expect just some content (***), and not the entire string to be visible.
@bakoontz2 Thanks for reporting. However, I am unable to reproduce the issue. Can you please confirm that the repro steps you provided above are exactly what produced the result in your screenshot?
v2.5.0 is a little out of date at this point. Can you please try upgrading to v3 and see if you still see the issue? Thanks
No problem, let me try with the latest version and I'll report back.
OK, I updated to v3.0.0, and the issue is still there.
However, I noticed that if I wrap the echo arguments in quotes, the secret is no longer exposed:
- name: Output vars
run: |
echo "${{ env.DATABRICKS_JDBCURL_PROD }}"
echo "${{ env.DATABRICKS_PASS_PROD }}"
echo "${{ env.DATABRICKS_USER_PROD }}"
So perhaps this is a github issue, masking behavior affected by whether or not a variable is being quoted?
@bakoontz2 Hello, thanks for the information. We recommend taking extra precaution when printing secrets like this and use masking. There are ways of extracting secrets even when using masking so please ensure you trust your workflow authors.
Just wanted to find out if there's any additional updates that are planned to be made to try to add in an extra layer of masking because using the latest version I was able to use the {{ env.secret }} with it masking, but when I'm doing a multi line secret pull from Vault if I reference it from a job output {{ steps.import-secrets.outputs.secret }} I'm also seeing it unmasked in that format.