buildkite / agent

The Buildkite Agent is an open-source toolkit written in Go for securely running build jobs on any device or network
https://buildkite.com/
MIT License
812 stars 300 forks source link

buildkite-agent annotate command should redact secrets #2623

Open testworksau opened 9 months ago

testworksau commented 9 months ago

Is your feature request related to a problem? Please describe. The agent has built-in secrets redaction capabilities, which is ace: https://buildkite.com/docs/agent/v3#promoted-experiments-redacted-variables

However the buildkite-agent annotate function does not redact any input.

This results in the ability for people to create pipelines that can easily bypass the redaction capabilities.

Describe the solution you'd like buildkite-agent annotate passes the provided messages through to the redaction filter prior to submitting the annotation to the Buildkite server.

Describe alternatives you've considered None

Additional context We came across this issue as we had a unit test that was asserting that an environment variable was set to an expected value.

The unit test usually mocks the value however a mistake was made in the change, that read the env var from the Buildkite agent instead of mocking it.

The expectation failed, the assertion comparison message contained the secret in its output, which was then stored in the JUnit XML output and stored as an attachment on the build step.

The junit-annotate-buildkite-plugin processed the JUnit output, and annotated the build with the failure, which resulted in the leak.

https://github.com/buildkite-plugins/junit-annotate-buildkite-plugin/blob/97d3bdea7c325bedf8c704cfc3047d201799da88/hooks/command#L113

Obviously, filtering the annotate command will only resolve part of the problem we faced in this particular instance; the secret was still in plain text in the artifact attached to the build step, and also in Test Analytics, so consideration may need to be made for that separately.

moskyb commented 8 months ago

g'day @testworksau! secrets redaction is (as you've found) currently focussed only on logs, and we don't guarantee that any other output from the agent gets redacted. we're not currently planning to extend redaction further, however, we'd be happy to accept PRs along this vein. in the meantime, we'll put it in our backlog for further discussion the next time we're working in the area.

if you're keen on making a PR and wanna chat implementation, we're more than happy to help out :)