From 59851786d4b0778a530c50e795b0070d681e9edf Mon Sep 17 00:00:00 2001 From: Francesco Renzi Date: Thu, 25 May 2023 10:59:41 +0100 Subject: [PATCH 1/3] Add tests to ensure secrets are escaped --- packages/core/__tests__/core.test.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/packages/core/__tests__/core.test.ts b/packages/core/__tests__/core.test.ts index 5011fcc8..09bc587b 100644 --- a/packages/core/__tests__/core.test.ts +++ b/packages/core/__tests__/core.test.ts @@ -161,7 +161,11 @@ describe('@actions/core', () => { it('setSecret produces the correct command', () => { core.setSecret('secret val') - assertWriteCalls([`::add-mask::secret val${os.EOL}`]) + core.setSecret('multi\nline\r\nsecret') + assertWriteCalls([ + `::add-mask::secret val${os.EOL}`, + `::add-mask::multi%0Aline%0D%0Asecret${os.EOL}` + ]) }) it('prependPath produces the correct commands and sets the env', () => { From f481b8c8dcbe245318cd220b0016650b3d1b1e1c Mon Sep 17 00:00:00 2001 From: Francesco Renzi Date: Thu, 25 May 2023 11:00:25 +0100 Subject: [PATCH 2/3] Update docs for setSecret --- docs/commands.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index c711368a..5af0f319 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -50,7 +50,18 @@ function setSecret(secret: string): void {} Now, future logs containing BAR will be masked. E.g. running `echo "Hello FOO BAR World"` will now print `Hello FOO **** World`. -**WARNING** The add-mask and setSecret commands only support single line secrets. To register a multiline secrets you must register each line individually otherwise it will not be masked. +**WARNING** The add-mask and setSecret commands only support single-line +secrets or multi-line secrets that have been escaped. `@actions/core` +`setSecret` will escape the string you provide by default. When an escaped +multi-line string is provided the whole string and each of its lines +individually will be masked. For example you can mask `first\nsecond\r\nthird` +using: + +```sh +echo "::add-mask::first%0Asecond%0D%0Athird" +``` + +This will mask `first%0Asecond%0D%0Athird`, `first`, `second` and `third`. **WARNING** Do **not** mask short values if you can avoid it, it could render your output unreadable (and future steps' output as well). For example, if you mask the letter `l`, running `echo "Hello FOO BAR World"` will now print `He*********o FOO BAR Wor****d` From ae9272d5cbda0eae6e26ff14ccb0b7a6b98a6d3d Mon Sep 17 00:00:00 2001 From: Francesco Renzi Date: Thu, 25 May 2023 11:07:37 +0100 Subject: [PATCH 3/3] Update docs/commands.md Co-authored-by: JoannaaKL --- docs/commands.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/commands.md b/docs/commands.md index 5af0f319..15f18e84 100644 --- a/docs/commands.md +++ b/docs/commands.md @@ -50,7 +50,7 @@ function setSecret(secret: string): void {} Now, future logs containing BAR will be masked. E.g. running `echo "Hello FOO BAR World"` will now print `Hello FOO **** World`. -**WARNING** The add-mask and setSecret commands only support single-line +**WARNING** The add-mask and setSecret commands only support single-line secrets or multi-line secrets that have been escaped. `@actions/core` `setSecret` will escape the string you provide by default. When an escaped multi-line string is provided the whole string and each of its lines