Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

usage of add-mask still echoes the value to the log

See original GitHub issue

Describe the bug According to https://github.com/actions/runner/issues/159, the issue where the add-mask workflow command echoes/leaks the secret was supposed to be fixed, but we still observe it. This was also mentioned on the GitHub forum by a Partner

To Reproduce Steps to reproduce the behavior: echo “::add-mask:😒{{ steps.mystep.outputs.myvalue }}”

Expected behavior raw output is not echoed to the log

Runner Version and Platform Hosted Ubuntu

Issue Analytics

State:
Created 3 years ago
Reactions:54
Comments:53 (8 by maintainers)

Top GitHub Comments

30reactions

ZebraFleshcommented, May 29, 2020

I guess I’m back to my original post then: what is the point of add-mask if it inherently exposes secrets?

25reactions

sshymkocommented, Dec 10, 2020

Accidentally discovered the following undocumented feature that can be used as a workaround for masking sensitive data. GitHub Actions appears to automatically mask inputs / environment variables following certain naming conventions. For instance, a plaintext variable named WEBHOOK_TOKEN holding a JWT is masked same way as encrypted secrets would. It would be great to officially document this behavior along with the supported keywords to make it safe to rely upon.

GitHub Action configuration:

name: Test
on:
  workflow_dispatch:
    inputs:
      WEBHOOK_URL:
        description: 'Webhook URL'
        required: true
      WEBHOOK_METHOD:
        description: 'Webhook method'
        required: true
        default: 'GET'
      WEBHOOK_TOKEN:
        description: 'Webhook token'
        required: true
jobs:
  test:
    name: Test sensitive data masking
    runs-on: ubuntu-latest
    env:
      WEBHOOK_URL: ${{ github.event.inputs.WEBHOOK_URL }}
      WEBHOOK_METHOD: ${{ github.event.inputs.WEBHOOK_METHOD }}
      WEBHOOK_TOKEN: ${{ github.event.inputs.WEBHOOK_TOKEN }}
    steps:
      - name: Notify job start
        run: |
          curl -s -o /dev/null -w "%{http_code}\n" \
            -X "$WEBHOOK_METHOD" "$WEBHOOK_URL" \
            -H "Authorization: Bearer $WEBHOOK_TOKEN"

GitHub Action log: github_action_log_mask_token