Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exposes secrets in plaintext #205

Closed
kotyara85 opened this issue Apr 20, 2021 · 1 comment · Fixed by #208
Closed

Exposes secrets in plaintext #205

kotyara85 opened this issue Apr 20, 2021 · 1 comment · Fixed by #208
Labels
bug Something isn't working

Comments

@kotyara85
Copy link

When using v0.2.1 actions output secrets in plaintext, here's an example

pipeline output

Run 
  echo "-----BEGIN OPENSSH PRIVATE KEY-----"

pipeline itself

on: push
jobs:
  test:
    strategy:
      matrix:
        go-version: [1.16.x]
    runs-on: self-hosted
    steps:
      - name: Import Secrets
        id: secrets
        uses: github/vault-action@v2.1.2
        with:
          url: https://vault:8200
          method: approle
          roleId: abc
          secretId: ${{ secrets.SECRETID }}
          tlsSkipVerify: true
          secrets: |
            secret/data/secret ssh-key | SSH_KEY ;
      - name: Install Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ matrix.go-version }}
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Setup bitbucket
        run: |
          echo "${{ env.SSH_KEY }}" > ~/.ssh/id_rsa
      - name: Test
        run: make test
@kotyara85 kotyara85 added the bug Something isn't working label Apr 20, 2021
@jasonodonnell
Copy link
Contributor

Thanks @kotyara85, this is indeed a bug introduced by a limitation in GH Actions toolkit. In the documentation I see this warning:

WARNING The add-mask and setSecret commands only support single line secrets. To register a multiline secrets you must register each line individually otherwise it will not be masked.

We'll get this fixed up and release a new provider. In the future, please send all security issues to security@hashicorp.com.

@tomhjp tomhjp mentioned this issue Apr 30, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Mask each line of multi-line secrets hashicorp/vault-action
2 participants
@jasonodonnell @kotyara85