fix: support multiline secret masking (#1001)

* command logging exposes multiline secrets more often than before * duplicated add-mask command in reporter now handles this as well Closes #998 Co-authored-by: silverwind <2021+silverwind@noreply.gitea.com> Co-authored-by: silverwind <me@silverwind.io> Reviewed-on: https://gitea.com/gitea/runner/pulls/1001 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com> Co-authored-by: Christopher Homberger <christopher.homberger@web.de> Co-committed-by: Christopher Homberger <christopher.homberger@web.de>
2026-06-10 11:54:27 +02:00 · 2026-05-29 19:58:15 +00:00
parent abec931d98
commit c7c4bd600a
5 changed files with 102 additions and 15 deletions
--- a/act/runner/logger_test.go
+++ b/act/runner/logger_test.go
@@ -0,0 +1,52 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package runner
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValueMasker(t *testing.T) {
+	table := []struct {
+		name       string
+		lines      string
+		secrets    map[string]string
+		masks      []string
+		disallowed []string
+	}{
+		{
+			name:  "Multiline Private Key",
+			lines: "cat << EOF > private.key\nPRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END\nEOF",
+			secrets: map[string]string{
+				"PRIVATE_KEY": "PRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END",
+			},
+			disallowed: []string{"KEY", "dsdfseffefsefes", "PRIVATE_KEY_END"},
+		},
+		{
+			name:       "Multiline Private Key in masks",
+			lines:      "cat << EOF > private.key\nPRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END\nEOF",
+			masks:      []string{"PRIVATE_KEY_BEGIN\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\ndsdfseffefsefes\nPRIVATE_KEY_END"},
+			disallowed: []string{"KEY", "dsdfseffefsefes", "PRIVATE_KEY_END"},
+		},
+	}
+	for _, entry := range table {
+		t.Run(entry.name, func(t *testing.T) {
+			ctx := WithMasks(t.Context(), &entry.masks)
+			masker := valueMasker(false, entry.secrets)
+			for line := range strings.SplitSeq(entry.lines, "\n") {
+				lentry := masker(&logrus.Entry{
+					Context: ctx,
+					Message: line,
+				})
+				for _, line := range entry.disallowed {
+					assert.NotContains(t, lentry.Message, line)
+				}
+			}
+		})
+	}
+}