Environment variables are displayed as clear-text

Question

Environment variables are displayed as clear-text

rorpage opened this issue 5 years ago · comments

When running this action the Lambda function environment variables are displayed clear-text in the build output. Is there a flag or option to suppress that output?

Thanks! Your code works like a charm otherwise!

Paul Allen · Answer 1 · Mon Mar 23 2020 06:20:18 GMT+0800 (China Standard Time)

Second @rorpage , Love the action....but can not use this anywhere if env vars are being logged.

Bo-Yi Wu · Answer 2 · Mon Mar 23 2020 13:41:34 GMT+0800 (China Standard Time)

I will take it.

Bo-Yi Wu · Answer 3 · Mon Mar 23 2020 13:43:55 GMT+0800 (China Standard Time)

@ptallen63 Do you have any screenshots?

Adrian Godong · Answer 4 · Tue Mar 31 2020 13:35:06 GMT+0800 (China Standard Time)

Can verify this is happening. Here's an anonymized log from GHA:

##[command]/usr/bin/docker run --name e87b52daece746306b478d86dd660231940aa5_0747c0 ...
2020/03/31 05:22:05 {
  ...,
  Environment: {
    Variables: {
      AAA_BBB_CCC: "SECRET SECRET SECRET",
      DDD_EEE_FFF: "..."
    }
  },
  FunctionArn: "arn:aws:lambda:us-east-1:...",
  FunctionName: "...",
  Handler: "...",
  ...
}

I'm not proficient in Go, but I believe this issue is caused by this line: https://github.com/appleboy/drone-lambda/blob/master/plugin.go#L137

Given that Actions log file for public repos are public and it is common to store runtime secrets in env var, I believe this is an urgent security issue.

Bo-Yi Wu · Answer 5 · Tue Mar 31 2020 13:43:46 GMT+0800 (China Standard Time)

@adriangodong I will move the log message in debug mode.

Bo-Yi Wu · Answer 6 · Tue Mar 31 2020 14:06:30 GMT+0800 (China Standard Time)

bump to v0.0.3 https://github.com/appleboy/lambda-action/releases/tag/v0.0.3

Adrian Godong · Answer 7 · Wed Apr 01 2020 05:00:54 GMT+0800 (China Standard Time)

Confirmed 0.0.3 works! Thank you, much appreciated!