Add secret and signature masking for cache and artifact packages

2026-04-21 05:38:05 +08:00 · 2025-03-06 14:25:32 -08:00
parent ec9716b3cc
commit 944e6b78db
6 changed files with 240 additions and 4 deletions
--- a/packages/artifact/tests/artifactTwirpClient.test.ts
+++ b/packages/artifact/tests/artifactTwirpClient.test.ts
@@ -0,0 +1,84 @@
+import {ArtifactHttpClient} from '../src/internal/shared/artifact-twirp-client'
+import {setSecret, debug} from '@actions/core'
+import {
+  CreateArtifactResponse,
+  GetSignedArtifactURLResponse
+} from '../src/generated/results/api/v1/artifact'
+
+jest.mock('@actions/core', () => ({
+  setSecret: jest.fn(),
+  info: jest.fn(),
+  debug: jest.fn()
+}))
+
+describe('ArtifactHttpClient', () => {
+  let client: ArtifactHttpClient
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+    process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token'
+    process.env['ACTIONS_RESULTS_URL'] = 'https://example.com'
+    client = new ArtifactHttpClient('test-agent')
+  })
+
+  afterEach(() => {
+    delete process.env['ACTIONS_RUNTIME_TOKEN']
+    delete process.env['ACTIONS_RESULTS_URL']
+  })
+
+  describe('maskSecretUrls', () => {
+    it('should mask signed_upload_url', () => {
+      const response: CreateArtifactResponse = {
+        ok: true,
+        signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      }
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***')
+    })
+
+    it('should mask signed_download_url', () => {
+      const response: GetSignedArtifactURLResponse = {
+        signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      }
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***')
+    })
+
+    it('should not call setSecret if URLs are missing', () => {
+      const response = {} as CreateArtifactResponse
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).not.toHaveBeenCalled()
+    })
+
+    it('should mask only the sensitive token part of signed_upload_url', () => {
+      const response: CreateArtifactResponse = {
+        ok: true,
+        signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      }
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***')
+    })
+
+    it('should mask only the sensitive token part of signed_download_url', () => {
+      const response: GetSignedArtifactURLResponse = {
+        signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
+      }
+
+      client.maskSecretUrls(response)
+
+      expect(setSecret).toHaveBeenCalledWith('secret-token')
+      expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***')
+    })
+  })
+})