Mask different situations, malformed URL, encoded, decoded, raw signatures, nested parameters, and moved to a utility file

2026-04-06 10:43:16 +08:00 · 2025-03-12 03:17:35 -07:00
parent 5007821c77
commit 3ac34ffcb7
8 changed files with 923 additions and 320 deletions
--- a/packages/cache/src/internal/shared/cacheTwirpClient.ts
+++ b/packages/cache/src/internal/shared/cacheTwirpClient.ts
@@ -1,4 +1,4 @@
-import {info, debug, setSecret} from '@actions/core'
+import {info, debug} from '@actions/core'
 import {getUserAgentString} from './user-agent'
 import {NetworkError, UsageError} from './errors'
 import {getCacheServiceURL} from '../config'
@@ -6,6 +6,7 @@ import {getRuntimeToken} from '../cacheUtils'
 import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
 import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
 import {CacheServiceClientJSON} from '../../generated/results/api/v1/cache.twirp-client'
+import {maskSecretUrls} from './util'

 // The twirp http client must implement this interface
 interface Rpc {
@@ -94,7 +95,7 @@ export class CacheServiceClient implements Rpc {
        debug(`[Response] - ${response.message.statusCode}`)
        debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
        const body = JSON.parse(rawBody)
-        this.maskSecretUrls(body)
+        maskSecretUrls(body)
        debug(`Body: ${JSON.stringify(body, null, 2)}`)
        if (this.isSuccessStatusCode(statusCode)) {
          return {response, body}
@@ -149,41 +150,6 @@ export class CacheServiceClient implements Rpc {
    throw new Error(`Request failed`)
  }

-  /**
-   * Masks the `sig` parameter in a URL and sets it as a secret.
-   * @param url The URL containing the `sig` parameter.
-   * @returns A masked URL where the sig parameter value is replaced with '***' if found,
-   *          or the original URL if no sig parameter is present.
-   */
-  maskSigUrl(url: string): string {
-    const sigIndex = url.indexOf('sig=')
-    if (sigIndex !== -1) {
-      const sigValue = url.substring(sigIndex + 4)
-      setSecret(sigValue)
-      return `${url.substring(0, sigIndex + 4)}***`
-    }
-    return url
-  }
-
-  maskSecretUrls(body): void {
-    if (typeof body === 'object' && body !== null) {
-      if (
-        'signed_upload_url' in body &&
-        typeof body.signed_upload_url === 'string'
-      ) {
-        this.maskSigUrl(body.signed_upload_url)
-      }
-      if (
-        'signed_download_url' in body &&
-        typeof body.signed_download_url === 'string'
-      ) {
-        this.maskSigUrl(body.signed_download_url)
-      }
-    } else {
-      debug('body is not an object or is null')
-    }
-  }
-
  isSuccessStatusCode(statusCode?: number): boolean {
    if (!statusCode) return false
    return statusCode >= 200 && statusCode < 300
--- a/packages/cache/src/internal/shared/util.ts
+++ b/packages/cache/src/internal/shared/util.ts
@@ -0,0 +1,171 @@
+import {debug, setSecret} from '@actions/core'
+
+/**
+ * Masks the `sig` parameter in a URL and sets it as a secret.
+ * @param url The URL containing the `sig` parameter.
+ * @returns A masked URL where the sig parameter value is replaced with '***' if found,
+ *          or the original URL if no sig parameter is present.
+ */
+export function maskSigUrl(url: string): string {
+  if (!url) return url
+
+  try {
+    const rawSigRegex = /[?&](sig)=([^&=#]+)/gi
+    let match
+
+    while ((match = rawSigRegex.exec(url)) !== null) {
+      const rawSignature = match[2]
+      if (rawSignature) {
+        setSecret(rawSignature)
+      }
+    }
+
+    let parsedUrl: URL
+    try {
+      parsedUrl = new URL(url)
+    } catch {
+      try {
+        parsedUrl = new URL(url, 'https://example.com')
+      } catch (error) {
+        debug(`Failed to parse URL: ${url}`)
+        return maskSigWithRegex(url)
+      }
+    }
+
+    let masked = false
+    const paramNames = Array.from(parsedUrl.searchParams.keys())
+
+    for (const paramName of paramNames) {
+      if (paramName.toLowerCase() === 'sig') {
+        const signature = parsedUrl.searchParams.get(paramName)
+        if (signature) {
+          setSecret(signature)
+          setSecret(encodeURIComponent(signature))
+          parsedUrl.searchParams.set(paramName, '***')
+          masked = true
+        }
+      }
+    }
+    if (masked) {
+      return parsedUrl.toString()
+    }
+
+    if (/([:?&]|^)(sig)=([^&=#]+)/i.test(url)) {
+      return maskSigWithRegex(url)
+    }
+  } catch (error) {
+    debug(
+      `Error masking URL: ${
+        error instanceof Error ? error.message : String(error)
+      }`
+    )
+    return maskSigWithRegex(url)
+  }
+
+  return url
+}
+
+/**
+ * Fallback method to mask signatures using regex when URL parsing fails
+ */
+function maskSigWithRegex(url: string): string {
+  try {
+    const regex = /([:?&]|^)(sig)=([^&=#]+)/gi
+
+    return url.replace(regex, (fullMatch, prefix, paramName, value) => {
+      if (value) {
+        setSecret(value)
+        try {
+          setSecret(decodeURIComponent(value))
+        } catch {
+          // Ignore decoding errors
+        }
+        return `${prefix}${paramName}=***`
+      }
+      return fullMatch
+    })
+  } catch (error) {
+    debug(
+      `Error in maskSigWithRegex: ${
+        error instanceof Error ? error.message : String(error)
+      }`
+    )
+    return url
+  }
+}
+
+/**
+ * Masks any URLs containing signature parameters in the provided object
+ * Recursively searches through nested objects and arrays
+ */
+export function maskSecretUrls(
+  body: Record<string, unknown> | unknown[] | null
+): void {
+  if (typeof body !== 'object' || body === null) {
+    debug('body is not an object or is null')
+    return
+  }
+
+  type NestedValue =
+    | string
+    | number
+    | boolean
+    | null
+    | undefined
+    | NestedObject
+    | NestedArray
+  interface NestedObject {
+    [key: string]: NestedValue
+    signed_upload_url?: string
+    signed_download_url?: string
+  }
+  type NestedArray = NestedValue[]
+
+  const processUrl = (url: string): void => {
+    maskSigUrl(url)
+  }
+
+  const processObject = (
+    obj: Record<string, NestedValue> | NestedValue[]
+  ): void => {
+    if (typeof obj !== 'object' || obj === null) {
+      return
+    }
+
+    if (Array.isArray(obj)) {
+      for (const item of obj) {
+        if (typeof item === 'string') {
+          processUrl(item)
+        } else if (typeof item === 'object' && item !== null) {
+          processObject(item as Record<string, NestedValue> | NestedValue[])
+        }
+      }
+      return
+    }
+
+    if (
+      'signed_upload_url' in obj &&
+      typeof obj.signed_upload_url === 'string'
+    ) {
+      maskSigUrl(obj.signed_upload_url)
+    }
+    if (
+      'signed_download_url' in obj &&
+      typeof obj.signed_download_url === 'string'
+    ) {
+      maskSigUrl(obj.signed_download_url)
+    }
+
+    for (const key in obj) {
+      const value = obj[key]
+      if (typeof value === 'string') {
+        if (/([:?&]|^)(sig)=/i.test(value)) {
+          maskSigUrl(value)
+        }
+      } else if (typeof value === 'object' && value !== null) {
+        processObject(value as Record<string, NestedValue> | NestedValue[])
+      }
+    }
+  }
+  processObject(body as Record<string, NestedValue> | NestedValue[])
+}