Docker Token Leaked in Debug Logs #485
Comments
|
Also see: #483 (comment) |
|
As stated in #372, masking the credentials prevents them from being used in other jobs. |
Your comment in #372 states:
This is not true, if you re-run a build in debug mode without any prints whatsoever, the credentials are printed in the logs. This is why I raised this issue. |
|
@therealdwright My apologies, I should've made that more clear. When I say "specifically printed by the user", I'm inferring debug mode as well since it's documented as saying it will log environment information. |
This is quite undesirable behaviour as it's leaking sensitive credentials. Would you like me to have a go at pushing a PR to fix this? |
|
Yeah we've had an internal discussion about this previously, but as of now we don't have anything planned soon to fix this. So a PR would be great, thanks! I'll take a look at it when I can. |
I believe the original PR was the correct way to handle it as GitHub intentionally doesn't allow the passing of secret values between the job. Why must this behaviour be preserved when it knowingly leaks secrets? If it is a hard and fast rule that docker_password must be an unmasked output I'd like to know so we can stop using this plugin. |
|
@arjraman - I decided a good compromise would be to add a mask-password input allowing users to optionally (disabled by default) mask the password. This seems to be a happy medium of allowing users to enforce password is not logged but maintains behaviour that your other users rely on. |
Describe the bug
When setting the credentials as an output and running a github action in debug mode, the base64 encoded credentials are leaked in the logs.
To Reproduce
Steps to reproduce the behavior:
Observe logs (obfuscated example below)
echo <TOKEN> docker login --username AWS --password-stdin <registry>Expected behavior
The token to not be displayed in the logs.
Screenshots
See above.
The text was updated successfully, but these errors were encountered: