actions
/
toolkit
mirror of https://github.com/actions/toolkit
1
0
Fork 0
Code

PR feedback, back to simplified approach, no export on client as well

pull/1982/head
Salman Chishti 2025-03-13 04:23:45 -07:00
parent abd9054c61
commit fc482662af
6 changed files with 37 additions and 633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
packages/artifact/__tests__/util.test.ts
View File

@ -69,14 +69,6 @@ describe('maskSigUrl', () => {
jest.clearAllMocks() jest.clearAllMocks()
}) })
it('masks the sig parameter in the URL and sets it as a secret', () => {
const url = 'https://example.com?sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('returns the original URL if no sig parameter is present', () => { it('returns the original URL if no sig parameter is present', () => {
const url = 'https://example.com' const url = 'https://example.com'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
@ -85,7 +77,7 @@ describe('maskSigUrl', () => {
}) })
it('masks the sig parameter in the middle of the URL and sets it as a secret', () => { it('masks the sig parameter in the middle of the URL and sets it as a secret', () => {
const url = 'https://example.com?param1=value1&sig=12345&param2=value2' const url = 'https://example.com/?param1=value1&sig=12345&param2=value2'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe( expect(maskedUrl).toBe(
'https://example.com/?param1=value1&sig=***&param2=value2' 'https://example.com/?param1=value1&sig=***&param2=value2'
@ -101,39 +93,6 @@ describe('maskSigUrl', () => {
expect(setSecret).not.toHaveBeenCalled() expect(setSecret).not.toHaveBeenCalled()
}) })
it('handles URLs with special characters in signature', () => {
const url = 'https://example.com?sig=abc/+=%3D'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***')
expect(setSecret).toHaveBeenCalledWith('abc/+')
expect(setSecret).toHaveBeenCalledWith('abc/ ==')
expect(setSecret).toHaveBeenCalledWith('abc%2F%20%3D%3D')
})
it('handles relative URLs', () => {
const url = '/path?param=value&sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/path?param=value&sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with uppercase SIG parameter', () => {
const url = 'https://example.com?SIG=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?SIG=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles malformed URLs using regex fallback', () => {
const url = 'not:a:valid:url:but:has:sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('not:a:valid:url:but:has:sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles URLs with fragments', () => { it('handles URLs with fragments', () => {
const url = 'https://example.com?sig=12345#fragment' const url = 'https://example.com?sig=12345#fragment'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
@ -141,72 +100,6 @@ describe('maskSigUrl', () => {
expect(setSecret).toHaveBeenCalledWith('12345') expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345')) expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
}) })
it('handles URLs with Sig parameter (first letter uppercase)', () => {
const url = 'https://example.com?Sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?Sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with sIg parameter (middle letter uppercase)', () => {
const url = 'https://example.com?sIg=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sIg=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with siG parameter (last letter uppercase)', () => {
const url = 'https://example.com?siG=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?siG=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with mixed case sig parameters in the same URL', () => {
const url = 'https://example.com?sig=123&SIG=456&Sig=789'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***&SIG=***&Sig=***')
expect(setSecret).toHaveBeenCalledWith('123')
expect(setSecret).toHaveBeenCalledWith('456')
expect(setSecret).toHaveBeenCalledWith('789')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('123'))
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('456'))
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('789'))
})
it('handles malformed URLs with different sig case variations', () => {
const url = 'not:a:valid:url:but:has:Sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('not:a:valid:url:but:has:Sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles malformed URLs with uppercase SIG in irregular formats', () => {
const url = 'something&SIG=12345&other:stuff'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('something&SIG=***&other:stuff')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles sig parameter at the start of the query string', () => {
const url = 'https://example.com?sig=12345&param=value'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***&param=value')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles sig parameter at the end of the query string', () => {
const url = 'https://example.com?param=value&sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?param=value&sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
}) })
describe('maskSecretUrls', () => { describe('maskSecretUrls', () => {
@ -262,77 +155,6 @@ describe('maskSecretUrls', () => {
expect(setSecret).not.toHaveBeenCalled() expect(setSecret).not.toHaveBeenCalled()
}) })
it('handles malformed URLs in the body', () => {
const body = {
signed_upload_url: 'not:a:valid:url:but:has:sig=upload123',
signed_url: 'also:not:valid:with:sig=download123'
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('upload123')
expect(setSecret).toHaveBeenCalledWith('download123')
})
it('handles URLs with different case variations of sig parameter', () => {
const body = {
signed_upload_url: 'https://upload.com?SIG=upload123',
signed_url: 'https://download.com?Sig=download123'
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('upload123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('upload123'))
expect(setSecret).toHaveBeenCalledWith('download123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('download123'))
})
it('handles URLs with special characters in signature', () => {
const specialSig = 'xyz!@#$'
const encodedSpecialSig = encodeURIComponent(specialSig)
const body = {
signed_upload_url: 'https://upload.com?sig=abc/+=%3D',
signed_url: `https://download.com?sig=${encodedSpecialSig}`
}
maskSecretUrls(body)
const allCalls = (setSecret as jest.Mock).mock.calls.flat()
expect(allCalls).toContain('abc/+')
expect(allCalls).toContain('abc/ ==')
expect(allCalls).toContain('abc%2F%20%3D%3D')
expect(allCalls).toContain(specialSig)
})
it('handles deeply nested URLs in the body', () => {
const body = {
data: {
urls: {
signed_upload_url: 'https://upload.com?sig=nested123',
signed_url: 'https://download.com?sig=nested456'
}
}
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('nested123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('nested123'))
expect(setSecret).toHaveBeenCalledWith('nested456')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('nested456'))
})
it('handles arrays of URLs in the body', () => {
const body = {
signed_urls: [
'https://first.com?sig=first123',
'https://second.com?sig=second456'
]
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('first123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('first123'))
expect(setSecret).toHaveBeenCalledWith('second456')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('second456'))
})
it('does nothing if body is not an object or is null', () => { it('does nothing if body is not an object or is null', () => {
maskSecretUrls(null) maskSecretUrls(null)
expect(debug).toHaveBeenCalledWith('body is not an object or is null') expect(debug).toHaveBeenCalledWith('body is not an object or is null')

2
packages/artifact/src/internal/shared/artifact-twirp-client.ts
View File

@ -17,7 +17,7 @@ interface Rpc {
): Promise<object | Uint8Array> ): Promise<object | Uint8Array>
} }
export class ArtifactHttpClient implements Rpc { class ArtifactHttpClient implements Rpc {
private httpClient: HttpClient private httpClient: HttpClient
private baseUrl: string private baseUrl: string
private maxAttempts = 5 private maxAttempts = 5

138
packages/artifact/src/internal/shared/util.ts
View File

@ -81,159 +81,41 @@ export function maskSigUrl(url: string): string {
if (!url) return url if (!url) return url
try { try {
const rawSigRegex = /[?&](sig)=([^&=#]+)/gi const parsedUrl = new URL(url)
let match const signature = parsedUrl.searchParams.get('sig')
while ((match = rawSigRegex.exec(url)) !== null) {
const rawSignature = match[2]
if (rawSignature) {
setSecret(rawSignature)
}
}
let parsedUrl: URL
try {
parsedUrl = new URL(url)
} catch {
try {
parsedUrl = new URL(url, 'https://example.com')
} catch (error) {
debug(`Failed to parse URL: ${url}`)
return maskSigWithRegex(url)
}
}
let masked = false
const paramNames = Array.from(parsedUrl.searchParams.keys())
for (const paramName of paramNames) {
if (paramName.toLowerCase() === 'sig') {
const signature = parsedUrl.searchParams.get(paramName)
if (signature) { if (signature) {
setSecret(signature) setSecret(signature)
setSecret(encodeURIComponent(signature)) setSecret(encodeURIComponent(signature))
parsedUrl.searchParams.set(paramName, '***') parsedUrl.searchParams.set('sig', '***')
masked = true
}
}
}
if (masked) {
return parsedUrl.toString() return parsedUrl.toString()
} }
if (/([:?&]|^)(sig)=([^&=#]+)/i.test(url)) {
return maskSigWithRegex(url)
}
} catch (error) { } catch (error) {
debug( debug(
`Error masking URL: ${ `Failed to parse URL: ${url} ${
error instanceof Error ? error.message : String(error) error instanceof Error ? error.message : String(error)
}` }`
) )
return maskSigWithRegex(url)
} }
return url return url
} }
/**
* Fallback method to mask signatures using regex when URL parsing fails
*/
function maskSigWithRegex(url: string): string {
try {
const regex = /([:?&]|^)(sig)=([^&=#]+)/gi
return url.replace(regex, (fullMatch, prefix, paramName, value) => {
if (value) {
setSecret(value)
try {
setSecret(decodeURIComponent(value))
} catch {
// Ignore decoding errors
}
return `${prefix}${paramName}=***`
}
return fullMatch
})
} catch (error) {
debug(
`Error in maskSigWithRegex: ${
error instanceof Error ? error.message : String(error)
}`
)
return url
}
}
/** /**
* Masks any URLs containing signature parameters in the provided object * Masks any URLs containing signature parameters in the provided object
* Recursively searches through nested objects and arrays
*/ */
export function maskSecretUrls( export function maskSecretUrls(body: Record<string, unknown> | null): void {
body: Record<string, unknown> | unknown[] | null
): void {
if (typeof body !== 'object' || body === null) { if (typeof body !== 'object' || body === null) {
debug('body is not an object or is null') debug('body is not an object or is null')
return return
} }
type NestedValue =
| string
| number
| boolean
| null
| undefined
| NestedObject
| NestedArray
interface NestedObject {
[key: string]: NestedValue
signed_upload_url?: string
signed_url?: string
}
type NestedArray = NestedValue[]
const processUrl = (url: string): void => {
maskSigUrl(url)
}
const processObject = (
obj: Record<string, NestedValue> | NestedValue[]
): void => {
if (typeof obj !== 'object' || obj === null) {
return
}
if (Array.isArray(obj)) {
for (const item of obj) {
if (typeof item === 'string') {
processUrl(item)
} else if (typeof item === 'object' && item !== null) {
processObject(item as Record<string, NestedValue> | NestedValue[])
}
}
return
}
if ( if (
'signed_upload_url' in obj && 'signed_upload_url' in body &&
typeof obj.signed_upload_url === 'string' typeof body.signed_upload_url === 'string'
) { ) {
maskSigUrl(obj.signed_upload_url) maskSigUrl(body.signed_upload_url)
} }
if ('signed_url' in obj && typeof obj.signed_url === 'string') { if ('signed_url' in body && typeof body.signed_url === 'string') {
maskSigUrl(obj.signed_url) maskSigUrl(body.signed_url)
} }
for (const key in obj) {
const value = obj[key]
if (typeof value === 'string') {
if (/([:?&]|^)(sig)=/i.test(value)) {
maskSigUrl(value)
}
} else if (typeof value === 'object' && value !== null) {
processObject(value as Record<string, NestedValue> | NestedValue[])
}
}
}
processObject(body as Record<string, NestedValue> | NestedValue[])
} }

180
packages/cache/__tests__/util.test.ts vendored
View File

@ -8,14 +8,6 @@ describe('maskSigUrl', () => {
jest.clearAllMocks() jest.clearAllMocks()
}) })
it('masks the sig parameter in the URL and sets it as a secret', () => {
const url = 'https://example.com?sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('returns the original URL if no sig parameter is present', () => { it('returns the original URL if no sig parameter is present', () => {
const url = 'https://example.com' const url = 'https://example.com'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
@ -24,7 +16,7 @@ describe('maskSigUrl', () => {
}) })
it('masks the sig parameter in the middle of the URL and sets it as a secret', () => { it('masks the sig parameter in the middle of the URL and sets it as a secret', () => {
const url = 'https://example.com?param1=value1&sig=12345&param2=value2' const url = 'https://example.com/?param1=value1&sig=12345&param2=value2'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe( expect(maskedUrl).toBe(
'https://example.com/?param1=value1&sig=***&param2=value2' 'https://example.com/?param1=value1&sig=***&param2=value2'
@ -40,39 +32,6 @@ describe('maskSigUrl', () => {
expect(setSecret).not.toHaveBeenCalled() expect(setSecret).not.toHaveBeenCalled()
}) })
it('handles URLs with special characters in signature', () => {
const url = 'https://example.com?sig=abc/+=%3D'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***')
expect(setSecret).toHaveBeenCalledWith('abc/+')
expect(setSecret).toHaveBeenCalledWith('abc/ ==')
expect(setSecret).toHaveBeenCalledWith('abc%2F%20%3D%3D')
})
it('handles relative URLs', () => {
const url = '/path?param=value&sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/path?param=value&sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with uppercase SIG parameter', () => {
const url = 'https://example.com?SIG=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?SIG=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles malformed URLs using regex fallback', () => {
const url = 'not:a:valid:url:but:has:sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('not:a:valid:url:but:has:sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles URLs with fragments', () => { it('handles URLs with fragments', () => {
const url = 'https://example.com?sig=12345#fragment' const url = 'https://example.com?sig=12345#fragment'
const maskedUrl = maskSigUrl(url) const maskedUrl = maskSigUrl(url)
@ -80,72 +39,6 @@ describe('maskSigUrl', () => {
expect(setSecret).toHaveBeenCalledWith('12345') expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345')) expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
}) })
it('handles URLs with Sig parameter (first letter uppercase)', () => {
const url = 'https://example.com?Sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?Sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with sIg parameter (middle letter uppercase)', () => {
const url = 'https://example.com?sIg=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sIg=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with siG parameter (last letter uppercase)', () => {
const url = 'https://example.com?siG=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?siG=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles URLs with mixed case sig parameters in the same URL', () => {
const url = 'https://example.com?sig=123&SIG=456&Sig=789'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***&SIG=***&Sig=***')
expect(setSecret).toHaveBeenCalledWith('123')
expect(setSecret).toHaveBeenCalledWith('456')
expect(setSecret).toHaveBeenCalledWith('789')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('123'))
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('456'))
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('789'))
})
it('handles malformed URLs with different sig case variations', () => {
const url = 'not:a:valid:url:but:has:Sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('not:a:valid:url:but:has:Sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles malformed URLs with uppercase SIG in irregular formats', () => {
const url = 'something&SIG=12345&other:stuff'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('something&SIG=***&other:stuff')
expect(setSecret).toHaveBeenCalledWith('12345')
})
it('handles sig parameter at the start of the query string', () => {
const url = 'https://example.com?sig=12345&param=value'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?sig=***&param=value')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
it('handles sig parameter at the end of the query string', () => {
const url = 'https://example.com?param=value&sig=12345'
const maskedUrl = maskSigUrl(url)
expect(maskedUrl).toBe('https://example.com/?param=value&sig=***')
expect(setSecret).toHaveBeenCalledWith('12345')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('12345'))
})
}) })
describe('maskSecretUrls', () => { describe('maskSecretUrls', () => {
@ -201,77 +94,6 @@ describe('maskSecretUrls', () => {
expect(setSecret).not.toHaveBeenCalled() expect(setSecret).not.toHaveBeenCalled()
}) })
it('handles malformed URLs in the body', () => {
const body = {
signed_upload_url: 'not:a:valid:url:but:has:sig=upload123',
signed_download_url: 'also:not:valid:with:sig=download123'
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('upload123')
expect(setSecret).toHaveBeenCalledWith('download123')
})
it('handles URLs with different case variations of sig parameter', () => {
const body = {
signed_upload_url: 'https://upload.com?SIG=upload123',
signed_download_url: 'https://download.com?Sig=download123'
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('upload123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('upload123'))
expect(setSecret).toHaveBeenCalledWith('download123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('download123'))
})
it('handles URLs with special characters in signature', () => {
const specialSig = 'xyz!@#$'
const encodedSpecialSig = encodeURIComponent(specialSig)
const body = {
signed_upload_url: 'https://upload.com?sig=abc/+=%3D',
signed_download_url: `https://download.com?sig=${encodedSpecialSig}`
}
maskSecretUrls(body)
const allCalls = (setSecret as jest.Mock).mock.calls.flat()
expect(allCalls).toContain('abc/+')
expect(allCalls).toContain('abc/ ==')
expect(allCalls).toContain('abc%2F%20%3D%3D')
expect(allCalls).toContain(specialSig)
})
it('handles deeply nested URLs in the body', () => {
const body = {
data: {
urls: {
signed_upload_url: 'https://upload.com?sig=nested123',
signed_download_url: 'https://download.com?sig=nested456'
}
}
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('nested123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('nested123'))
expect(setSecret).toHaveBeenCalledWith('nested456')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('nested456'))
})
it('handles arrays of URLs in the body', () => {
const body = {
signed_urls: [
'https://first.com?sig=first123',
'https://second.com?sig=second456'
]
}
maskSecretUrls(body)
expect(setSecret).toHaveBeenCalledWith('first123')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('first123'))
expect(setSecret).toHaveBeenCalledWith('second456')
expect(setSecret).toHaveBeenCalledWith(encodeURIComponent('second456'))
})
it('does nothing if body is not an object or is null', () => { it('does nothing if body is not an object or is null', () => {
maskSecretUrls(null) maskSecretUrls(null)
expect(debug).toHaveBeenCalledWith('body is not an object or is null') expect(debug).toHaveBeenCalledWith('body is not an object or is null')

2
packages/cache/src/internal/shared/cacheTwirpClient.ts vendored
View File

@ -25,7 +25,7 @@ interface Rpc {
* *
* This class is used to interact with cache service v2. * This class is used to interact with cache service v2.
*/ */
export class CacheServiceClient implements Rpc { class CacheServiceClient implements Rpc {
private httpClient: HttpClient private httpClient: HttpClient
private baseUrl: string private baseUrl: string
private maxAttempts = 5 private maxAttempts = 5

144
packages/cache/src/internal/shared/util.ts vendored
View File

@ -10,166 +10,44 @@ export function maskSigUrl(url: string): string {
if (!url) return url if (!url) return url
try { try {
const rawSigRegex = /[?&](sig)=([^&=#]+)/gi const parsedUrl = new URL(url)
let match const signature = parsedUrl.searchParams.get('sig')
while ((match = rawSigRegex.exec(url)) !== null) {
const rawSignature = match[2]
if (rawSignature) {
setSecret(rawSignature)
}
}
let parsedUrl: URL
try {
parsedUrl = new URL(url)
} catch {
try {
parsedUrl = new URL(url, 'https://example.com')
} catch (error) {
debug(`Failed to parse URL: ${url}`)
return maskSigWithRegex(url)
}
}
let masked = false
const paramNames = Array.from(parsedUrl.searchParams.keys())
for (const paramName of paramNames) {
if (paramName.toLowerCase() === 'sig') {
const signature = parsedUrl.searchParams.get(paramName)
if (signature) { if (signature) {
setSecret(signature) setSecret(signature)
setSecret(encodeURIComponent(signature)) setSecret(encodeURIComponent(signature))
parsedUrl.searchParams.set(paramName, '***') parsedUrl.searchParams.set('sig', '***')
masked = true
}
}
}
if (masked) {
return parsedUrl.toString() return parsedUrl.toString()
} }
if (/([:?&]|^)(sig)=([^&=#]+)/i.test(url)) {
return maskSigWithRegex(url)
}
} catch (error) { } catch (error) {
debug( debug(
`Error masking URL: ${ `Failed to parse URL: ${url} ${
error instanceof Error ? error.message : String(error) error instanceof Error ? error.message : String(error)
}` }`
) )
return maskSigWithRegex(url)
} }
return url return url
} }
/**
* Fallback method to mask signatures using regex when URL parsing fails
*/
function maskSigWithRegex(url: string): string {
try {
const regex = /([:?&]|^)(sig)=([^&=#]+)/gi
return url.replace(regex, (fullMatch, prefix, paramName, value) => {
if (value) {
setSecret(value)
try {
setSecret(decodeURIComponent(value))
} catch (error) {
debug(
`Failed to decode URL parameter: ${
error instanceof Error ? error.message : String(error)
}`
)
}
return `${prefix}${paramName}=***`
}
return fullMatch
})
} catch (error) {
debug(
`Error in maskSigWithRegex: ${
error instanceof Error ? error.message : String(error)
}`
)
return url
}
}
/** /**
* Masks any URLs containing signature parameters in the provided object * Masks any URLs containing signature parameters in the provided object
* Recursively searches through nested objects and arrays
*/ */
export function maskSecretUrls( export function maskSecretUrls(body: Record<string, unknown> | null): void {
body: Record<string, unknown> | unknown[] | null
): void {
if (typeof body !== 'object' || body === null) { if (typeof body !== 'object' || body === null) {
debug('body is not an object or is null') debug('body is not an object or is null')
return return
} }
type NestedValue =
| string
| number
| boolean
| null
| undefined
| NestedObject
| NestedArray
interface NestedObject {
[key: string]: NestedValue
signed_upload_url?: string
signed_download_url?: string
}
type NestedArray = NestedValue[]
const processUrl = (url: string): void => {
maskSigUrl(url)
}
const processObject = (
obj: Record<string, NestedValue> | NestedValue[]
): void => {
if (typeof obj !== 'object' || obj === null) {
return
}
if (Array.isArray(obj)) {
for (const item of obj) {
if (typeof item === 'string') {
processUrl(item)
} else if (typeof item === 'object' && item !== null) {
processObject(item as Record<string, NestedValue> | NestedValue[])
}
}
return
}
if ( if (
'signed_upload_url' in obj && 'signed_upload_url' in body &&
typeof obj.signed_upload_url === 'string' typeof body.signed_upload_url === 'string'
) { ) {
maskSigUrl(obj.signed_upload_url) maskSigUrl(body.signed_upload_url)
} }
if ( if (
'signed_download_url' in obj && 'signed_download_url' in body &&
typeof obj.signed_download_url === 'string' typeof body.signed_download_url === 'string'
) { ) {
maskSigUrl(obj.signed_download_url) maskSigUrl(body.signed_download_url)
} }
for (const key in obj) {
const value = obj[key]
if (typeof value === 'string') {
if (/([:?&]|^)(sig)=/i.test(value)) {
maskSigUrl(value)
}
} else if (typeof value === 'object' && value !== null) {
processObject(value as Record<string, NestedValue> | NestedValue[])
}
}
}
processObject(body as Record<string, NestedValue> | NestedValue[])
} }