Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New audit: secret leakage #400

Open
woodruffw opened this issue Jan 6, 2025 · 0 comments
Open

New audit: secret leakage #400

woodruffw opened this issue Jan 6, 2025 · 0 comments
Assignees
@woodruffw
Labels
new-audit New audits

Comments

@woodruffw
Copy link
Owner

By default, secrets in the secrets.* context are redacted in logs, etc. However, if a secret is JSON, this kind of pattern can accidentally disclose it:

${{ fromJSON(secrets.oopsie).foo.bar }}

This happens because secrets.oopsie is redacted, but substrings/arbitrary decodings of secrets.oopsie are not.

As such, we should probably detect any flow of fromJSON(secrets).attr.access or fromJSON(secrets.abc).attr.access and flag it.

Doing this fully generally is a little tricky, since expressions can appear literally almost anywhere. So the existing audit infrastructure might be insufficient for this; instead we probably need an audit_raw(body: &str) or similar.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woodruffw woodruffw

Labels
new-audit New audits
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@woodruffw