Remove logging of any SAS tokens in Actions/Cache and Actions/Artifact by salmanmkc · Pull Request #1982 · actions/toolkit
Issue
Currently you are able to see the SAS token for downloading and uploading files when debugging.
This is not secure as technically anyone with access to the logs can use the SAS token to download or upload files.
Fix
Fix: masking the SAS token, so that you are unable to see it anymore, it will show three stars: , e.g. sig= in the URL
The code handles malformed URLs as well, encoding the raw, encoded & decoded URL in-case. Code also checks for nested parameters and for any sig fields, in the case where for some reason signature_upload_url or the keys in the object could change.
Examples now changed approach to just mask the signature part:
Cache
Cache uploading
Cache downloading
Artifact
Artifact uploading
Artifact downloading
Cache uploading (old approach)
Cache downloading (old approach)
Artifact (old approach)
Uploading to artifact (old approach)
Downloading from artifact (old approach)
Questions
Discussion outcome was to have duplicate code rather than using a shared utility function in Core, which was the previous approach as indicated via previous commits.
This PR will need a release of:
- Toolkit cache
- Toolkit artifact
- https://github.com/actions/upload-artifact
- https://github.com/actions/download-artifact
- https://github.com/actions/cache