Mask different situations, malformed URL, encoded, decoded, raw signatures, nested parameters, and moved to a utility file

2026-05-04 16:28:05 +08:00 · 2025-03-12 03:17:35 -07:00
parent 5007821c77
commit 3ac34ffcb7
8 changed files with 923 additions and 320 deletions
--- a/packages/artifact/src/internal/shared/artifact-twirp-client.ts
+++ b/packages/artifact/src/internal/shared/artifact-twirp-client.ts
@@ -1,10 +1,11 @@
 import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
 import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
-import {setSecret, info, debug} from '@actions/core'
+import {info, debug} from '@actions/core'
 import {ArtifactServiceClientJSON} from '../../generated'
 import {getResultsServiceUrl, getRuntimeToken} from './config'
 import {getUserAgentString} from './user-agent'
 import {NetworkError, UsageError} from './errors'
+import {maskSecretUrls} from './util'

 // The twirp http client must implement this interface
 interface Rpc {
@@ -70,38 +71,6 @@ export class ArtifactHttpClient implements Rpc {
    }
  }

-  /**
-   * Masks the `sig` parameter in a URL and sets it as a secret.
-   * @param url The URL containing the `sig` parameter.
-   * @returns A masked URL where the sig parameter value is replaced with '***' if found,
-   *          or the original URL if no sig parameter is present.
-   */
-  maskSigUrl(url: string): string {
-    const sigIndex = url.indexOf('sig=')
-    if (sigIndex !== -1) {
-      const sigValue = url.substring(sigIndex + 4)
-      setSecret(sigValue)
-      return `${url.substring(0, sigIndex + 4)}***`
-    }
-    return url
-  }
-
-  maskSecretUrls(body): void {
-    if (typeof body === 'object' && body !== null) {
-      if (
-        'signed_upload_url' in body &&
-        typeof body.signed_upload_url === 'string'
-      ) {
-        this.maskSigUrl(body.signed_upload_url)
-      }
-      if ('signed_url' in body && typeof body.signed_url === 'string') {
-        this.maskSigUrl(body.signed_url)
-      }
-    } else {
-      debug('body is not an object or is null')
-    }
-  }
-
  async retryableRequest(
    operation: () => Promise<HttpClientResponse>
  ): Promise<{response: HttpClientResponse; body: object}> {
@@ -118,7 +87,7 @@ export class ArtifactHttpClient implements Rpc {
        debug(`[Response] - ${response.message.statusCode}`)
        debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
        const body = JSON.parse(rawBody)
-        this.maskSecretUrls(body)
+        maskSecretUrls(body)
        debug(`Body: ${JSON.stringify(body, null, 2)}`)
        if (this.isSuccessStatusCode(statusCode)) {
          return {response, body}