search

hashicorp / vault-action

A GitHub Action that simplifies using HashiCorp Vault™ secrets as build variables.
MIT License
443 stars 140 forks source link

[BUG] Secrets not obfuscated? #546

Open bakoontz2 opened 6 months ago

bakoontz2 commented 6 months ago

Vault server version

v1.14.1

vault-action version

v2.5.0

Describe the bug

Secrets are not obfuscated in github logs when echo'd

To Reproduce

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
    steps:
    - name: Import Secrets via Hashicorp
      id: import-secrets
      uses: hashicorp/vault-action@v2.5.0
      with:
        method: jwt
        url: https://<hostname>
        namespace: automation/some-namespace
        role: github-os_repo-secrets
        secrets: |
             secrets/data/repo-secrets DATABRICKS_JDBCURL_PROD;
             secrets/data/repo-secrets DATABRICKS_PASS_PROD;
             secrets/data/repo-secrets DATABRICKS_USER_PROD;
        tlsSkipVerify: true
    - name: Output vars
      run: |
        echo ${{ env.DATABRICKS_JDBCURL_PROD }}
        echo ${{ env.DATABRICKS_PASS_PROD }}
        echo ${{ env.DATABRICKS_USER_PROD }}

Expected behavior

The output of the three echo statements should be obfuscated.

Log Output

image

Additional info

The reason for the echo statements is to determine if secrets are empty. But I would expect just some content (***), and not the entire string to be visible.

fairclothjm commented 6 months ago

@bakoontz2 Thanks for reporting. However, I am unable to reproduce the issue. Can you please confirm that the repro steps you provided above are exactly what produced the result in your screenshot?

v2.5.0 is a little out of date at this point. Can you please try upgrading to v3 and see if you still see the issue? Thanks

bakoontz2 commented 6 months ago

No problem, let me try with the latest version and I'll report back.

bakoontz2 commented 6 months ago

OK, I updated to v3.0.0, and the issue is still there.

However, I noticed that if I wrap the echo arguments in quotes, the secret is no longer exposed:

    - name: Output vars
      run: |
        echo "${{ env.DATABRICKS_JDBCURL_PROD }}"
        echo "${{ env.DATABRICKS_PASS_PROD }}"
        echo "${{ env.DATABRICKS_USER_PROD }}"

image

So perhaps this is a github issue, masking behavior affected by whether or not a variable is being quoted?

fairclothjm commented 6 months ago

@bakoontz2 Hello, thanks for the information. We recommend taking extra precaution when printing secrets like this and use masking. There are ways of extracting secrets even when using masking so please ensure you trust your workflow authors.

xmabry commented 2 months ago

Just wanted to find out if there's any additional updates that are planned to be made to try to add in an extra layer of masking because using the latest version I was able to use the {{ env.secret }} with it masking, but when I'm doing a multi line secret pull from Vault if I reference it from a job output {{ steps.import-secrets.outputs.secret }} I'm also seeing it unmasked in that format.