Plain text matching the value of a secret are masked in command text

[muonmax]

Situation If the value of a secret is included as plain text in anywhere in the command, it is masked as "***".

For example, if one creates the secret USER with value to devuser and then includes the command echo devuser the output is ***.

Below is a code snippet that can replicate the issue. As you can see, the masking occurs in the creation of the command. In this case, I was able to verify that echo *** was the command executed on the server.

This could present a significant security concern since it could allow you to guess the value of a secret if it was included as plain text.

In reality, it just presents a nuisance if you are keeping your username as a secret, and want to refer to paths within that user's home directory within the script since it will mask the username (i.e. making the path /home/***/...). Interestingly, this masking occurs even when paths are included using ~.

steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: appleboy/ssh-action@master
        with:
          host: some.remote.com
          username: ${{ secrets.USER }} #VALUE OF SECRET.USER IS DEVUSER
          password: ${{ secrets.PASSWORD }}
          script: |
            echo devuser

Expected Output

======CMD======
echo devuser

======END======
out: devuser
==============================================
✅ Successfully executed commands to all host.
==============================================

Actual Output

======CMD======
echo ***

======END======
out: ***
==============================================
✅ Successfully executed commands to all host.
==============================================

[vishalratnam6]

@muonmax did you find a solution for this?