mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-12-22 16:36:30 +00:00
Code Issues Projects Releases Wiki Activity

Do not sanitzie secrets with 3 or less chars (#2680)

Browse source 
as this secrets have to low entropy they can not be valid secrets and
e.g. make log only unredable

just add a secret with value `a` to a repo an run a pipeline ...

---
*Sponsored by Kithara Software GmbH*
This commit is contained in:
6543 2023-10-31 19:44:03 +01:00 committed by GitHub
parent 15960e7628
commit 5742e8695c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pipeline/shared/replace_secrets.go
View file

@ -20,7 +20,7 @@ func NewSecretsReplacer(secrets []string) *strings.Replacer {
var oldnew []string var oldnew []string
for _, old := range secrets { for _, old := range secrets {
old = strings.TrimSpace(old) old = strings.TrimSpace(old)
if len(old) == 0 { if len(old) <= 3 {
continue continue
} }
// since replacer is executed on each line we have to split multi-line-secrets // since replacer is executed on each line we have to split multi-line-secrets

18
pipeline/shared/replace_secrets_test.go
View file

@ -22,34 +22,42 @@ import (
func TestNewSecretsReplacer(t *testing.T) { func TestNewSecretsReplacer(t *testing.T) {
tc := []struct { tc := []struct {
name string
log string log string
secrets []string secrets []string
expect string expect string
}{{ }{{
name: "dont replace secrets with less than 3 chars",
log: "start log\ndone", log: "start log\ndone",
secrets: []string{""}, secrets: []string{"", "d", "art"},
expect: "start log\ndone", expect: "start log\ndone",
}, { }, {
name: "single line passwords",
log: `this IS secret: password`, log: `this IS secret: password`,
secrets: []string{"password", " IS "}, secrets: []string{"password", " IS "},
expect: `this ******** secret: ********`, expect: `this IS secret: ********`,
}, { }, {
name: "secret with one newline",
log: "start log\ndone\nnow\nan\nmulti line secret!! ;)", log: "start log\ndone\nnow\nan\nmulti line secret!! ;)",
secrets: []string{"an\nmulti line secret!!"}, secrets: []string{"an\nmulti line secret!!"},
expect: "start log\ndone\nnow\n********\n******** ;)", expect: "start log\ndone\nnow\n********\n******** ;)",
}, { }, {
name: "secret with multible lines with no match",
log: "start log\ndone\nnow\nan\nmulti line secret!! ;)", log: "start log\ndone\nnow\nan\nmulti line secret!! ;)",
secrets: []string{"Test\nwith\n\ntwo new lines"}, secrets: []string{"Test\nwith\n\ntwo new lines"},
expect: "start log\ndone\nnow\nan\nmulti line secret!! ;)", expect: "start log\ndone\nnow\nan\nmulti line secret!! ;)",
}, { }, {
name: "secret with multible lines with match",
log: "start log\ndone\nnow\nan\nmulti line secret!! ;)\nwith\ntwo\n\nnewlines", log: "start log\ndone\nnow\nan\nmulti line secret!! ;)\nwith\ntwo\n\nnewlines",
secrets: []string{"an\nmulti line secret!!", "two\n\nnewlines"}, secrets: []string{"an\nmulti line secret!!", "two\n\nnewlines"},
expect: "start log\ndone\nnow\n********\n******** ;)\nwith\n********\n\n********", expect: "start log\ndone\nnow\n********\n******** ;)\nwith\n********\n\n********",
}} }}
for _, c := range tc { for _, c := range tc {
rep := NewSecretsReplacer(c.secrets) t.Run(c.name, func(t *testing.T) {
result := rep.Replace(c.log) rep := NewSecretsReplacer(c.secrets)
assert.EqualValues(t, c.expect, result) result := rep.Replace(c.log)
assert.EqualValues(t, c.expect, result)
})
} }
} }