actions/toolkit
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/actions/toolkit synced 2026-04-01 09:43:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add secret and signature masking for cache and artifact packages

Browse Source
This commit is contained in:
Salman Chishti
2025-03-06 14:25:32 -08:00
parent ec9716b3cc
commit 944e6b78db
6 changed files with 240 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
packages/cache/__tests__/cacheTwirpClient.test.ts vendored Normal file
View File

@@ -0,0 +1,98 @@
import {
CreateCacheEntryResponse,
GetCacheEntryDownloadURLResponse
} from '../src/generated/results/api/v1/cache'
import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
import {setSecret, debug} from '@actions/core'
jest.mock('@actions/core', () => ({
setSecret: jest.fn(),
info: jest.fn(),
debug: jest.fn()
}))
describe('CacheServiceClient', () => {
let client: CacheServiceClient
beforeEach(() => {
jest.clearAllMocks()
process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token' // <-- set the required env variable
client = new CacheServiceClient('test-agent')
})
afterEach(() => {
delete process.env['ACTIONS_RUNTIME_TOKEN'] // <-- clean up after tests
})
describe('maskSecretUrls', () => {
it('should mask signedUploadUrl', () => {
const response = {
ok: true,
signedUploadUrl:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} as CreateCacheEntryResponse
client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
it('should mask signedDownloadUrl', () => {
const response = {
ok: true,
signedDownloadUrl:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
matchedKey: 'cache-key'
} as GetCacheEntryDownloadURLResponse
client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
it('should not call setSecret if URLs are missing', () => {
const response = {ok: true} as CreateCacheEntryResponse
client.maskSecretUrls(response)
expect(setSecret).not.toHaveBeenCalled()
})
it('should mask only the sensitive token part of signedUploadUrl', () => {
const response = {
ok: true,
signedUploadUrl:
'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token'
} as CreateCacheEntryResponse
client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
it('should mask only the sensitive token part of signedDownloadUrl', () => {
const response = {
ok: true,
signedDownloadUrl:
'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token',
matchedKey: 'cache-key'
} as GetCacheEntryDownloadURLResponse
client.maskSecretUrls(response)
expect(setSecret).toHaveBeenCalledWith('secret-token')
expect(debug).toHaveBeenCalledWith(
'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***'
)
})
})
})

6
packages/cache/__tests__/saveCacheV2.test.ts vendored
View File

@@ -8,10 +8,16 @@ import * as tar from '../src/internal/tar'
import {CacheServiceClientJSON} from '../src/generated/results/api/v1/cache.twirp-client'
import * as cacheHttpClient from '../src/internal/cacheHttpClient'
import {UploadOptions} from '../src/options'
import {
CreateCacheEntryResponse,
GetCacheEntryDownloadURLResponse
} from '../src/generated/results/api/v1/cache'
import {CacheServiceClient} from '../src/internal/shared/cacheTwirpClient'
let logDebugMock: jest.SpyInstance
jest.mock('../src/internal/tar')
jest.mock('@actions/core')
const uploadFileMock = jest.fn()
const blockBlobClientMock = jest.fn().mockImplementation(() => ({

20
packages/cache/src/internal/shared/cacheTwirpClient.ts vendored
View File

@@ -1,4 +1,4 @@
import {info, debug} from '@actions/core'
import {info, debug, maskSigUrl} from '@actions/core'
import {getUserAgentString} from './user-agent'
import {NetworkError, UsageError} from './errors'
import {getCacheServiceURL} from '../config'
@@ -6,6 +6,10 @@ import {getRuntimeToken} from '../cacheUtils'
import {BearerCredentialHandler} from '@actions/http-client/lib/auth'
import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client'
import {CacheServiceClientJSON} from '../../generated/results/api/v1/cache.twirp-client'
import {
CreateCacheEntryResponse,
GetCacheEntryDownloadURLResponse
} from '../../generated/results/api/v1/cache'
// The twirp http client must implement this interface
interface Rpc {
@@ -24,7 +28,7 @@ interface Rpc {
*
* This class is used to interact with cache service v2.
*/
class CacheServiceClient implements Rpc {
export class CacheServiceClient implements Rpc {
private httpClient: HttpClient
private baseUrl: string
private maxAttempts = 5
@@ -94,6 +98,7 @@ class CacheServiceClient implements Rpc {
debug(`[Response] - ${response.message.statusCode}`)
debug(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`)
const body = JSON.parse(rawBody)
this.maskSecretUrls(body)
debug(`Body: ${JSON.stringify(body, null, 2)}`)
if (this.isSuccessStatusCode(statusCode)) {
return {response, body}
@@ -148,6 +153,17 @@ class CacheServiceClient implements Rpc {
throw new Error(`Request failed`)
}
maskSecretUrls(
body: CreateCacheEntryResponse | GetCacheEntryDownloadURLResponse
): void {
if ('signedUploadUrl' in body && body.signedUploadUrl) {
maskSigUrl(body.signedUploadUrl, 'signedUploadUrl')
}
if ('signedDownloadUrl' in body && body.signedDownloadUrl) {
maskSigUrl(body.signedDownloadUrl, 'signedDownloadUrl')
}
}
isSuccessStatusCode(statusCode?: number): boolean {
if (!statusCode) return false
return statusCode >= 200 && statusCode < 300