diff --git a/packages/artifact/__tests__/artifactTwirpClient.test.ts b/packages/artifact/__tests__/artifactTwirpClient.test.ts index 035031e1..882c7ef4 100644 --- a/packages/artifact/__tests__/artifactTwirpClient.test.ts +++ b/packages/artifact/__tests__/artifactTwirpClient.test.ts @@ -30,24 +30,30 @@ describe('ArtifactHttpClient', () => { it('should mask signed_upload_url', () => { const response: CreateArtifactResponse = { ok: true, - signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' + signedUploadUrl: + 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' } client.maskSecretUrls(response) expect(setSecret).toHaveBeenCalledWith('secret-token') - expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***') + expect(debug).toHaveBeenCalledWith( + 'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' + ) }) it('should mask signed_download_url', () => { const response: GetSignedArtifactURLResponse = { - signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' + signedUrl: + 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' } client.maskSecretUrls(response) expect(setSecret).toHaveBeenCalledWith('secret-token') - expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***') + expect(debug).toHaveBeenCalledWith( + 'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' + ) }) it('should not call setSecret if URLs are missing', () => { @@ -61,24 +67,30 @@ describe('ArtifactHttpClient', () => { it('should mask only the sensitive token part of signed_upload_url', () => { const response: CreateArtifactResponse = { ok: true, - signedUploadUrl: 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' + signedUploadUrl: + 'https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' } client.maskSecretUrls(response) expect(setSecret).toHaveBeenCalledWith('secret-token') - expect(debug).toHaveBeenCalledWith('Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***') + expect(debug).toHaveBeenCalledWith( + 'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' + ) }) it('should mask only the sensitive token part of signed_download_url', () => { const response: GetSignedArtifactURLResponse = { - signedUrl: 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' + signedUrl: + 'https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=secret-token' } client.maskSecretUrls(response) expect(setSecret).toHaveBeenCalledWith('secret-token') - expect(debug).toHaveBeenCalledWith('Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***') + expect(debug).toHaveBeenCalledWith( + 'Masked signed_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' + ) }) }) }) diff --git a/packages/artifact/src/internal/shared/artifact-twirp-client.ts b/packages/artifact/src/internal/shared/artifact-twirp-client.ts index 1d3e8c69..2d389114 100644 --- a/packages/artifact/src/internal/shared/artifact-twirp-client.ts +++ b/packages/artifact/src/internal/shared/artifact-twirp-client.ts @@ -1,6 +1,6 @@ import {HttpClient, HttpClientResponse, HttpCodes} from '@actions/http-client' import {BearerCredentialHandler} from '@actions/http-client/lib/auth' -import {setSecret, info, debug, maskSigUrl} from '@actions/core' +import {setSecret, info, debug} from '@actions/core' import {ArtifactServiceClientJSON} from '../../generated' import {getResultsServiceUrl, getRuntimeToken} from './config' import {getUserAgentString} from './user-agent' @@ -74,14 +74,27 @@ export class ArtifactHttpClient implements Rpc { } } + /** + * Masks the `sig` parameter in a URL and sets it as a secret. + * @param url The URL containing the `sig` parameter. + * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url'). + */ + maskSigUrl(url: string, urlType: string): void { + const sigMatch = url.match(/[?&]sig=([^&]+)/) + if (sigMatch) { + setSecret(sigMatch[1]) + debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`) + } + } + maskSecretUrls( body: CreateArtifactResponse | GetSignedArtifactURLResponse ): void { if ('signedUploadUrl' in body && body.signedUploadUrl) { - maskSigUrl(body.signedUploadUrl, 'signed_upload_url') + this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url') } if ('signedUrl' in body && body.signedUrl) { - maskSigUrl(body.signedUrl, 'signed_url') + this.maskSigUrl(body.signedUrl, 'signed_url') } } diff --git a/packages/cache/__tests__/cacheTwirpClient.test.ts b/packages/cache/__tests__/cacheTwirpClient.test.ts index dd38e8fe..e981ce1a 100644 --- a/packages/cache/__tests__/cacheTwirpClient.test.ts +++ b/packages/cache/__tests__/cacheTwirpClient.test.ts @@ -16,12 +16,12 @@ describe('CacheServiceClient', () => { beforeEach(() => { jest.clearAllMocks() - process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token' // <-- set the required env variable + process.env['ACTIONS_RUNTIME_TOKEN'] = 'test-token' client = new CacheServiceClient('test-agent') }) afterEach(() => { - delete process.env['ACTIONS_RUNTIME_TOKEN'] // <-- clean up after tests + delete process.env['ACTIONS_RUNTIME_TOKEN'] }) describe('maskSecretUrls', () => { @@ -36,7 +36,7 @@ describe('CacheServiceClient', () => { expect(setSecret).toHaveBeenCalledWith('secret-token') expect(debug).toHaveBeenCalledWith( - 'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' + 'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' ) }) @@ -52,7 +52,7 @@ describe('CacheServiceClient', () => { expect(setSecret).toHaveBeenCalledWith('secret-token') expect(debug).toHaveBeenCalledWith( - 'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' + 'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' ) }) @@ -75,7 +75,7 @@ describe('CacheServiceClient', () => { expect(setSecret).toHaveBeenCalledWith('secret-token') expect(debug).toHaveBeenCalledWith( - 'Masked signedUploadUrl: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' + 'Masked signed_upload_url: https://example.com/upload?se=2025-03-05T16%3A47%3A23Z&sig=***' ) }) @@ -91,7 +91,7 @@ describe('CacheServiceClient', () => { expect(setSecret).toHaveBeenCalledWith('secret-token') expect(debug).toHaveBeenCalledWith( - 'Masked signedDownloadUrl: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' + 'Masked signed_download_url: https://example.com/download?se=2025-03-05T16%3A47%3A23Z&sig=***' ) }) }) diff --git a/packages/cache/package.json b/packages/cache/package.json index 3a200f89..4667849d 100644 --- a/packages/cache/package.json +++ b/packages/cache/package.json @@ -31,7 +31,8 @@ "scripts": { "audit-moderate": "npm install && npm audit --json --audit-level=moderate > audit.json", "test": "echo \"Error: run tests from root\" && exit 1", - "tsc": "tsc" + "tsc": "tsc", + "clean": "rm -rf node_modules lib" }, "bugs": { "url": "https://github.com/actions/toolkit/issues" @@ -46,6 +47,7 @@ "@azure/ms-rest-js": "^2.6.0", "@azure/storage-blob": "^12.13.0", "@protobuf-ts/plugin": "^2.9.4", + "@types/node": "^22.13.9", "semver": "^6.3.1" }, "devDependencies": { diff --git a/packages/cache/src/internal/shared/cacheTwirpClient.ts b/packages/cache/src/internal/shared/cacheTwirpClient.ts index 9c121121..2c8acbe2 100644 --- a/packages/cache/src/internal/shared/cacheTwirpClient.ts +++ b/packages/cache/src/internal/shared/cacheTwirpClient.ts @@ -1,4 +1,4 @@ -import {info, debug, maskSigUrl} from '@actions/core' +import {info, debug, setSecret} from '@actions/core' import {getUserAgentString} from './user-agent' import {NetworkError, UsageError} from './errors' import {getCacheServiceURL} from '../config' @@ -153,14 +153,27 @@ export class CacheServiceClient implements Rpc { throw new Error(`Request failed`) } + /** + * Masks the `sig` parameter in a URL and sets it as a secret. + * @param url The URL containing the `sig` parameter. + * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url'). + */ + maskSigUrl(url: string, urlType: string): void { + const sigMatch = url.match(/[?&]sig=([^&]+)/) + if (sigMatch) { + setSecret(sigMatch[1]) + debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`) + } + } + maskSecretUrls( body: CreateCacheEntryResponse | GetCacheEntryDownloadURLResponse ): void { if ('signedUploadUrl' in body && body.signedUploadUrl) { - maskSigUrl(body.signedUploadUrl, 'signedUploadUrl') + this.maskSigUrl(body.signedUploadUrl, 'signed_upload_url') } if ('signedDownloadUrl' in body && body.signedDownloadUrl) { - maskSigUrl(body.signedDownloadUrl, 'signedDownloadUrl') + this.maskSigUrl(body.signedDownloadUrl, 'signed_download_url') } } diff --git a/packages/core/src/core.ts b/packages/core/src/core.ts index 12359d0a..0a141693 100644 --- a/packages/core/src/core.ts +++ b/packages/core/src/core.ts @@ -391,19 +391,3 @@ export {toPosixPath, toWin32Path, toPlatformPath} from './path-utils' * Platform utilities exports */ export * as platform from './platform' - -/** - * Masks the `sig` parameter in a URL and sets it as a secret. - * @param url The URL containing the `sig` parameter. - * @param urlType The type of the URL (e.g., 'signed_upload_url', 'signed_download_url'). - * @returns The URL with the `sig` parameter masked. - */ -export function maskSigUrl(url: string, urlType: string): string { - const sigMatch = url.match(/[?&]sig=([^&]+)/) - if (sigMatch) { - setSecret(sigMatch[1]) - debug(`Masked ${urlType}: ${url.replace(sigMatch[1], '***')}`) - return url.replace(sigMatch[1], '***') - } - return url -}