Only mask concealed or note fields
This commit is contained in:
Floris van der Grinten
1
.github/workflows/test.yml
vendored
1
.github/workflows/test.yml
vendored
@@ -22,6 +22,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
|
SECRET: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/password
|
||||||
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
|
SECRET_IN_SECTION: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/password
|
||||||
|
UNMASKED_VALUE: op://v5pz6venw4roosmkzdq2nhpv6u/hrgkzhrlvscomepxlgafb2m3ca/test-section/username
|
||||||
- name: Load multiline secret
|
- name: Load multiline secret
|
||||||
uses: ./ # 1password/load-secrets-action@<version>
|
uses: ./ # 1password/load-secrets-action@<version>
|
||||||
env:
|
env:
|
||||||
|
|||||||
@@ -84,20 +84,27 @@ for possible_ref in $(printenv | grep "=op://" | grep -v "^#"); do
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Looking for field: $field"
|
echo "Looking for field: $field"
|
||||||
secret_value=$(echo "$item_json" | jq -r "first(.fields[] | select($jq_field_selector) | .value)")
|
secret_field_json=$(echo "$item_json" | jq -r "first(.fields[] | select($jq_field_selector))")
|
||||||
|
|
||||||
# Register a mask for the secret to prevent accidental log exposure.
|
field_type=$(echo "$secret_field_json" | jq -r '.type')
|
||||||
# To support multiline secrets, escape percent signs and add a mask per line.
|
field_purpose=$(echo "$secret_field_json" | jq -r '.purpose')
|
||||||
escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
|
secret_value=$(echo "$secret_field_json" | jq -r '.value')
|
||||||
IFS=$'\n'
|
|
||||||
for line in $escaped_mask_value; do
|
# If the field is marked as concealed or is a note, register a mask
|
||||||
if [ "${#line}" -lt 3 ]; then
|
# for the secret to prevent accidental log exposure.
|
||||||
# To avoid false positives and unreadable logs, omit mask for lines that are too short.
|
if [ "$field_type" == "CONCEALED" ] || [ "$field_purpose" == "NOTES" ]; then
|
||||||
continue
|
# To support multiline secrets, escape percent signs and add a mask per line.
|
||||||
fi
|
escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
|
||||||
echo "::add-mask::$line"
|
IFS=$'\n'
|
||||||
done
|
for line in $escaped_mask_value; do
|
||||||
unset IFS
|
if [ "${#line}" -lt 3 ]; then
|
||||||
|
# To avoid false positives and unreadable logs, omit mask for lines that are too short.
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
echo "::add-mask::$line"
|
||||||
|
done
|
||||||
|
unset IFS
|
||||||
|
fi
|
||||||
|
|
||||||
# To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
|
# To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
|
||||||
# As the heredoc identifier, we'll use a randomly generated 64-character string,
|
# As the heredoc identifier, we'll use a randomly generated 64-character string,
|
||||||
|
|||||||
Reference in New Issue
Block a user