actions/toolkit
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/actions/toolkit synced 2025-08-20 12:39:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

masks the whole URL, update tests

Browse Source
This commit is contained in:
Salman Chishti 2025-03-10 06:47:52 -07:00
parent 1cd2f8a538
commit 47c4fa85df
6 changed files with 220 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
packages/artifact/__tests__/artifactTwirpClient.test.ts
View File

@ -1,9 +1,6 @@
import {ArtifactHttpClient} from '../src/internal/shared/artifact-twirp-client' import {ArtifactHttpClient} from '../src/internal/shared/artifact-twirp-client'
import {setSecret, debug} from '@actions/core' import {setSecret} from '@actions/core'
import { import {CreateArtifactResponse} from '../src/generated/results/api/v1/artifact'
CreateArtifactResponse,
GetSignedArtifactURLResponse
} from '../src/generated/results/api/v1/artifact'
jest.mock('@actions/core', () => ({ jest.mock('@actions/core', () => ({
setSecret: jest.fn(), setSecret: jest.fn(),
@ -26,70 +23,101 @@ describe('ArtifactHttpClient', () => {
delete process.env['ACTIONS_RESULTS_URL'] delete process.env['ACTIONS_RESULTS_URL']
}) })
describe('maskSigUrl', () => {
it('should mask the sig parameter and set it as a secret', () => {
const url =
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe(
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
it('should return the original URL if no sig parameter is found', () => {
const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'
const maskedUrl = client.maskSigUrl(url)
expect(setSecret).not.toHaveBeenCalled()
expect(maskedUrl).toBe(url)
})
it('should handle sig parameter at the end of the URL', () => {
const url = 'https://example.com/upload?param1=value&sig=secret-token'
const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
})
it('should handle sig parameter in the middle of the URL', () => {
const url = 'https://example.com/upload?sig=secret-token&param2=value'
const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
expect(maskedUrl).toBe('https://example.com/upload?sig=***')
})
})
describe('maskSecretUrls', () => { describe('maskSecretUrls', () => {
it('should mask signed_upload_url', () => { it('should mask signed_upload_url', () => {
const response: CreateArtifactResponse = { const spy = jest.spyOn(client, 'maskSigUrl')
const response = {
ok: true, ok: true,
signedUploadUrl: signed_upload_url:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} }
client.maskSecretUrls(response) client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(spy).toHaveBeenCalledWith(
expect(debug).toHaveBeenCalledWith( 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
) )
}) })
it('should mask signed_download_url', () => { it('should mask signed_download_url', () => {
const response: GetSignedArtifactURLResponse = { const spy = jest.spyOn(client, 'maskSigUrl')
signedUrl: const response = {
signed_url:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} }
client.maskSecretUrls(response) client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(spy).toHaveBeenCalledWith(
expect(debug).toHaveBeenCalledWith( 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
) )
}) })
it('should not call setSecret if URLs are missing', () => { it('should not call maskSigUrl if URLs are missing', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const response = {} as CreateArtifactResponse const response = {} as CreateArtifactResponse
client.maskSecretUrls(response) client.maskSecretUrls(response)
expect(setSecret).not.toHaveBeenCalled() expect(spy).not.toHaveBeenCalled()
}) })
it('should mask only the sensitive token part of signed_upload_url', () => { it('should handle both URL types when present', () => {
const response: CreateArtifactResponse = { const spy = jest.spyOn(client, 'maskSigUrl')
ok: true, const response = {
signedUploadUrl: signed_upload_url: 'https://example.com/upload?sig=secret-token1',
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' signed_url: 'https://example.com/download?sig=secret-token2'
} }
client.maskSecretUrls(response) client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(spy).toHaveBeenCalledTimes(2)
expect(debug).toHaveBeenCalledWith( expect(spy).toHaveBeenCalledWith(
'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' 'https://example.com/upload?sig=secret-token1'
) )
}) expect(spy).toHaveBeenCalledWith(
'https://example.com/download?sig=secret-token2'
it('should mask only the sensitive token part of signed_download_url', () => {
const response: GetSignedArtifactURLResponse = {
signedUrl:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
}
client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
) )
}) })
}) })

38
packages/artifact/src/internal/shared/artifact-twirp-client.ts
View File

@ -5,10 +5,6 @@ import {ArtifactServiceClientJSON} from '../../generated'
import {getResultsServiceUrl, getRuntimeToken} from './config' import {getResultsServiceUrl, getRuntimeToken} from './config'
import {getUserAgentString} from './user-agent' import {getUserAgentString} from './user-agent'
import {NetworkError, UsageError} from './errors' import {NetworkError, UsageError} from './errors'
import {
CreateArtifactResponse,
GetSignedArtifactURLResponse
} from '../../generated/results/api/v1/artifact'
// The twirp http client must implement this interface // The twirp http client must implement this interface
interface Rpc { interface Rpc {
@ -77,24 +73,32 @@ export class ArtifactHttpClient implements Rpc {
/** /**
* Masks the `sig` parameter in a URL and sets it as a secret. * Masks the `sig` parameter in a URL and sets it as a secret.
* @param url The URL containing the `sig` parameter. * @param url The URL containing the `sig` parameter.
* @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url'). * @returns A masked URL where the sig parameter value is replaced with '***' if found,
* or the original URL if no sig parameter is present.
*/ */
maskSigUrl(url: string, urlType: string): void { maskSigUrl(url: string): string {
const sigMatch = url.match(/[?&]sig=([^&]+)/) const sigIndex = url.indexOf('sig=')
if (sigMatch) { if (sigIndex !== -1) {
setSecret(sigMatch[1]) const sigValue = url.substring(sigIndex + 4)
debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`) setSecret(sigValue)
return `${url.substring(0, sigIndex + 4)}***`
} }
return url
} }
maskSecretUrls( maskSecretUrls(body): void {
body: CreateArtifactResponse | GetSignedArtifactURLResponse if (typeof body === 'object' && body !== null) {
): void { if (
if ('signedUploadUrl' in body && body.signedUploadUrl) { 'signed_upload_url' in body &&
this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url') typeof body.signed_upload_url === 'string'
) {
this.maskSigUrl(body.signed_upload_url)
} }
if ('signedUrl' in body && body.signedUrl) { if ('signed_url' in body && typeof body.signed_url === 'string') {
this.maskSigUrl(body.signedUrl, 'signed_url') this.maskSigUrl(body.signed_url)
}
} else {
debug('body is not an object or is null')
} }
} }

133
packages/cache/__tests__/cacheTwirpClient.test.ts vendored
View File

@ -1,9 +1,5 @@
import {
CreateCacheEntryResponse,
GetCacheEntryDownloadURLResponse
} from '../src/generated/results/api/v1/cache'
import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient' import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
import {setSecret, debug} from '@actions/core' import {setSecret} from '@actions/core'
jest.mock('@actions/core', () => ({ jest.mock('@actions/core', () => ({
setSecret: jest.fn(), setSecret: jest.fn(),
@ -24,75 +20,106 @@ describe('CacheServiceClient', () => {
delete process.env['ACTIONS_RUNTIME_TOKEN'] delete process.env['ACTIONS_RUNTIME_TOKEN']
}) })
describe('maskSecretUrls', () => { describe('maskSigUrl', () => {
it('should mask signedUploadUrl', () => { it('should mask the sig parameter and set it as a secret', () => {
const response = { const url =
ok: true,
signedUploadUrl:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} as CreateCacheEntryResponse
client.maskSecretUrls(response) const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith( expect(maskedUrl).toBe(
'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
) )
}) })
it('should mask signedDownloadUrl', () => { it('should return the original URL if no sig parameter is found', () => {
const response = { const url = 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z'
ok: true,
signedDownloadUrl:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
matchedKey: 'cache-key'
} as GetCacheEntryDownloadURLResponse
client.maskSecretUrls(response) const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
it('should not call setSecret if URLs are missing', () => {
const response = {ok: true} as CreateCacheEntryResponse
client.maskSecretUrls(response)
expect(setSecret).not.toHaveBeenCalled() expect(setSecret).not.toHaveBeenCalled()
expect(maskedUrl).toBe(url)
}) })
it('should mask only the sensitive token part of signedUploadUrl', () => { it('should handle sig parameter at the end of the URL', () => {
const response = { const url = 'https://example.com/upload?param1=value&sig=secret-token'
ok: true,
signedUploadUrl:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} as CreateCacheEntryResponse
client.maskSecretUrls(response) const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith( expect(maskedUrl).toBe('https://example.com/upload?param1=value&sig=***')
'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' })
it('should handle sig parameter in the middle of the URL', () => {
const url = 'https://example.com/upload?sig=secret-token&param2=value'
const maskedUrl = client.maskSigUrl(url)
expect(setSecret).toHaveBeenCalledWith('secret-token&param2=value')
expect(maskedUrl).toBe('https://example.com/upload?sig=***')
})
})
describe('maskSecretUrls', () => {
it('should mask signed_upload_url', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
signed_upload_url: 'https://example.com/upload?sig=secret-token',
key: 'test-key',
version: 'test-version'
}
client.maskSecretUrls(body)
expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?sig=secret-token'
) )
}) })
it('should mask only the sensitive token part of signedDownloadUrl', () => { it('should mask signed_download_url', () => {
const response = { const spy = jest.spyOn(client, 'maskSigUrl')
ok: true, const body = {
signedDownloadUrl: signed_download_url: 'https://example.com/download?sig=secret-token',
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token', key: 'test-key',
matchedKey: 'cache-key' version: 'test-version'
} as GetCacheEntryDownloadURLResponse }
client.maskSecretUrls(response) client.maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('secret-token') expect(spy).toHaveBeenCalledWith(
expect(debug).toHaveBeenCalledWith( 'https://example.com/download?sig=secret-token'
'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
) )
}) })
it('should mask both URLs when both are present', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
signed_upload_url: 'https://example.com/upload?sig=secret-token1',
signed_download_url: 'https://example.com/download?sig=secret-token2'
}
client.maskSecretUrls(body)
expect(spy).toHaveBeenCalledTimes(2)
expect(spy).toHaveBeenCalledWith(
'https://example.com/upload?sig=secret-token1'
)
expect(spy).toHaveBeenCalledWith(
'https://example.com/download?sig=secret-token2'
)
})
it('should not call maskSigUrl when URLs are missing', () => {
const spy = jest.spyOn(client, 'maskSigUrl')
const body = {
key: 'test-key',
version: 'test-version'
}
client.maskSecretUrls(body)
expect(spy).not.toHaveBeenCalled()
})
}) })
}) })

31
packages/cache/package-lock.json generated vendored
View File

@ -21,6 +21,7 @@
"semver": "^6.3.1" "semver": "^6.3.1"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^22.13.9",
"@types/semver": "^6.0.0", "@types/semver": "^6.0.0",
"typescript": "^5.2.2" "typescript": "^5.2.2"
} }
@ -324,9 +325,13 @@
} }
}, },
"node_modules/@types/node": { "node_modules/@types/node": {
"version": "20.4.6", "version": "22.13.9",
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.4.6.tgz", "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.9.tgz",
"integrity": "sha512-q0RkvNgMweWWIvSMDiXhflGUKMdIxBo2M2tYM/0kEGDueQByFzK4KZAgu5YHGFNxziTlppNpTIBcqHQAxlfHdA==" "integrity": "sha512-acBjXdRJ3A6Pb3tqnw9HZmyR3Fiol3aGxRCK1x3d+6CDAMjl7I649wpSd+yNURCjbOUGu9tqtLKnTGxmK6CyGw==",
"license": "MIT",
"dependencies": {
"undici-types": "~6.20.0"
}
}, },
"node_modules/@types/node-fetch": { "node_modules/@types/node-fetch": {
"version": "2.6.4", "version": "2.6.4",
@ -548,6 +553,12 @@
"node": ">=14.17" "node": ">=14.17"
} }
}, },
"node_modules/undici-types": {
"version": "6.20.0",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz",
"integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg==",
"license": "MIT"
},
"node_modules/webidl-conversions": { "node_modules/webidl-conversions": {
"version": "3.0.1", "version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",
@ -824,9 +835,12 @@
} }
}, },
"@types/node": { "@types/node": {
"version": "20.4.6", "version": "22.13.9",
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.4.6.tgz", "resolved": "https://registry.npmjs.org/@types/node/-/node-22.13.9.tgz",
"integrity": "sha512-q0RkvNgMweWWIvSMDiXhflGUKMdIxBo2M2tYM/0kEGDueQByFzK4KZAgu5YHGFNxziTlppNpTIBcqHQAxlfHdA==" "integrity": "sha512-acBjXdRJ3A6Pb3tqnw9HZmyR3Fiol3aGxRCK1x3d+6CDAMjl7I649wpSd+yNURCjbOUGu9tqtLKnTGxmK6CyGw==",
"requires": {
"undici-types": "~6.20.0"
}
}, },
"@types/node-fetch": { "@types/node-fetch": {
"version": "2.6.4", "version": "2.6.4",
@ -993,6 +1007,11 @@
"integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==", "integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==",
"dev": true "dev": true
}, },
"undici-types": {
"version": "6.20.0",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz",
"integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg=="
},
"webidl-conversions": { "webidl-conversions": {
"version": "3.0.1", "version": "3.0.1",
"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz", "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-3.0.1.tgz",

2
packages/cache/package.json vendored
View File

@ -47,10 +47,10 @@
"@azure/ms-rest-js": "^2.6.0", "@azure/ms-rest-js": "^2.6.0",
"@azure/storage-blob": "^12.13.0", "@azure/storage-blob": "^12.13.0",
"@protobuf-ts/plugin": "^2.9.4", "@protobuf-ts/plugin": "^2.9.4",
"@types/node": "^22.13.9",
"semver": "^6.3.1" "semver": "^6.3.1"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^22.13.9",
"@types/semver": "^6.0.0", "@types/semver": "^6.0.0",
"typescript": "^5.2.2" "typescript": "^5.2.2"
} }

41
packages/cache/src/internal/shared/cacheTwirpClient.ts vendored
View File

@ -6,10 +6,6 @@ import {getRuntimeToken} from '../cacheUtils'
import {BearerCredentialHandler} from '@actions/http-client/lib/auth' import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client' import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
import {CacheServiceClientJSON} from '../../generated/results/api/v1/cache.twirp-client' import {CacheServiceClientJSON} from '../../generated/results/api/v1/cache.twirp-client'
import {
CreateCacheEntryResponse,
GetCacheEntryDownloadURLResponse
} from '../../generated/results/api/v1/cache'
// The twirp http client must implement this interface // The twirp http client must implement this interface
interface Rpc { interface Rpc {
@ -156,24 +152,35 @@ export class CacheServiceClient implements Rpc {
/** /**
* Masks the `sig` parameter in a URL and sets it as a secret. * Masks the `sig` parameter in a URL and sets it as a secret.
* @param url The URL containing the `sig` parameter. * @param url The URL containing the `sig` parameter.
* @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url'). * @returns A masked URL where the sig parameter value is replaced with '***' if found,
* or the original URL if no sig parameter is present.
*/ */
maskSigUrl(url: string, urlType: string): void { maskSigUrl(url: string): string {
const sigMatch = url.match(/[?&]sig=([^&]+)/) const sigIndex = url.indexOf('sig=')
if (sigMatch) { if (sigIndex !== -1) {
setSecret(sigMatch[1]) const sigValue = url.substring(sigIndex + 4)
debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`) setSecret(sigValue)
return `${url.substring(0, sigIndex + 4)}***`
} }
return url
} }
maskSecretUrls( maskSecretUrls(body): void {
body: CreateCacheEntryResponse | GetCacheEntryDownloadURLResponse if (typeof body === 'object' && body !== null) {
): void { if (
if ('signedUploadUrl' in body && body.signedUploadUrl) { 'signed_upload_url' in body &&
this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url') typeof body.signed_upload_url === 'string'
) {
this.maskSigUrl(body.signed_upload_url)
} }
if ('signedDownloadUrl' in body && body.signedDownloadUrl) { if (
this.maskSigUrl(body.signedDownloadUrl, 'signed_download_url') 'signed_download_url' in body &&
typeof body.signed_download_url === 'string'
) {
this.maskSigUrl(body.signed_download_url)
}
} else {
debug('body is not an object or is null')
} }
} }