GH secretes can be returned in notifications

[Miker91]

Hi,

Secrets should not be parsed and returned in the notifications. People may want to use this action having organization-wide secretes which should not be returned in clear text.

Example:

      - uses: actions/checkout@master
      - name: Microsoft Teams Notification
        uses: skitionek/notify-microsoft-teams@master
        if: always()
        with:
          webhook_url: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
          overwrite: "{title: `Overwrote title in ${{ secrets.MS_TEAMS_WEBHOOK_URI }}`}"

Result:

[Skitionek]

Good point - will take a look into it

[oxc]

I don't think the secrets are evaluated by the eval call. They are already evaluated as part of the overwrite value by GitHub Actions. You need to escape the ${{...}}} in your yaml expression.

Having said that, I guess the eval can leak undesired properties. I would go for a more explicit way to replace the variables you want to support, something like this (untested):

  overwrite.replaceAll(/\$\{(\W+)\}/, (varName) => switch (varName) { 
    case 'workflow_link': return workflow_link
    ...
  });

or

  const vars = { workflow_link, ... };
  overwite.replaceAll(new Regexp(`\$\{(${Object.keys(vars).join('|')})\}`), (varName) => vars[varName]);

[copdips]

@Miker91 @Skitionek I dont see such bug as of now, maybe the bug has been fixed, would you confirm ?