Merge pull request #1982 from actions/salmanmkc/obfuscate-sas

Remove logging of any SAS tokens in Actions/Cache and Actions/Artifact

packages/artifact/src/internal/shared/artifact-twirp-client.ts

@@ -5,6 +5,7 @@ import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
 import {getUserAgentString} from './user-agent'
 import {NetworkError, UsageError} from './errors'
+import {maskSecretUrls} from './util'
 
 // The twirp http client must implement this interface
 interface Rpc {
@@ -86,6 +87,7 @@ class ArtifactHttpClient implements Rpc {
         debug(`[Response] - ${response.message.statusCode}`)
         debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
         const body = JSON.parse(rawBody)
+        maskSecretUrls(body)
         debug(`Body: ${JSON.stringify(body, null, 2)}`)
         if (this.isSuccessStatusCode(statusCode)) {
           return {response, body}

packages/artifact/src/internal/shared/util.ts

@@ -1,6 +1,7 @@
 import * as core from '@actions/core'
 import {getRuntimeToken} from './config'
 import jwt_decode from 'jwt-decode'
+import {debug, setSecret} from '@actions/core'
 
 export interface BackendIds {
   workflowRunBackendId: string
@@ -69,3 +70,76 @@ export function getBackendIdsFromToken(): BackendIds {
 
   throw InvalidJwtError
 }
+
+/**
+ * Masks the `sig` parameter in a URL and sets it as a secret.
+ *
+ * @param url - The URL containing the signature parameter to mask
+ * @remarks
+ * This function attempts to parse the provided URL and identify the 'sig' query parameter.
+ * If found, it registers both the raw and URL-encoded signature values as secrets using
+ * the Actions `setSecret` API, which prevents them from being displayed in logs.
+ *
+ * The function handles errors gracefully if URL parsing fails, logging them as debug messages.
+ *
+ * @example
+ * ```typescript
+ * // Mask a signature in an Azure SAS token URL
+ * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
+ * ```
+ */
+export function maskSigUrl(url: string): void {
+  if (!url) return
+  try {
+    const parsedUrl = new URL(url)
+    const signature = parsedUrl.searchParams.get('sig')
+    if (signature) {
+      setSecret(signature)
+      setSecret(encodeURIComponent(signature))
+    }
+  } catch (error) {
+    debug(
+      `Failed to parse URL: ${url} ${
+        error instanceof Error ? error.message : String(error)
+      }`
+    )
+  }
+}
+
+/**
+ * Masks sensitive information in URLs containing signature parameters.
+ * Currently supports masking 'sig' parameters in the 'signed_upload_url'
+ * and 'signed_download_url' properties of the provided object.
+ *
+ * @param body - The object should contain a signature
+ * @remarks
+ * This function extracts URLs from the object properties and calls maskSigUrl
+ * on each one to redact sensitive signature information. The function doesn't
+ * modify the original object; it only marks the signatures as secrets for
+ * logging purposes.
+ *
+ * @example
+ * ```typescript
+ * const responseBody = {
+ *   signed_upload_url: 'https://example.com?sig=abc123',
+ *   signed_download_url: 'https://example.com?sig=def456'
+ * };
+ * maskSecretUrls(responseBody);
+ * ```
+ */
+export function maskSecretUrls(body: Record<string, unknown> | null): void {
+  if (typeof body !== 'object' || body === null) {
+    debug('body is not an object or is null')
+    return
+  }
+
+  if (
+    'signed_upload_url' in body &&
+    typeof body.signed_upload_url === 'string'
+  ) {
+    maskSigUrl(body.signed_upload_url)
+  }
+  if ('signed_url' in body && typeof body.signed_url === 'string') {
+    maskSigUrl(body.signed_url)
+  }
+}