Merge pull request #42 from dependabot/brrygrdn/mask-job-credentials

Ensure credentials retrieved from Dependabot are masked
github · Nov 1, 2021 · 2cd7786 · 2cd7786
2 parents 5968d26 + 15390f3
commit 2cd7786
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 2 deletions.
diff --git a/__tests__/api_client.test.ts b/__tests__/api_client.test.ts
@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {ApiClient} from '../src/api-client'
 
 describe('ApiClient', () => {
@@ -37,4 +38,54 @@ describe('ApiClient', () => {
     expect(jobDetails['allowed-updates'].length).toBe(1)
     expect(jobDetails['package-manager']).toBe('npm_and_yarn')
   })
+
+  test('get job credentials', async () => {
+    const apiResponse = {
+      data: {
+        attributes: {
+          credentials: [
+            {
+              type: 'no-creds',
+              host: 'example.com',
+              username: 'foo',
+              password: null,
+              token: null
+            },
+            {
+              type: 'password',
+              host: 'example.com',
+              username: 'bar',
+              password: 'bar-password',
+              token: null
+            },
+            {
+              type: 'token',
+              host: 'example.com',
+              username: 'baz',
+              password: null,
+              token: 'baz-token'
+            },
+            {
+              type: 'both',
+              host: 'example.com',
+              username: 'qux',
+              password: 'qux-password',
+              token: 'qux-token'
+            }
+          ]
+        }
+      }
+    }
+    mockAxios.get.mockResolvedValue({status: 200, data: apiResponse})
+    jest.spyOn(core, 'setSecret').mockImplementation(jest.fn())
+
+    const jobCredentials = await api.getCredentials()
+    expect(jobCredentials.length).toBe(4)
+
+    expect(core.setSecret).toHaveBeenCalledTimes(4)
+    expect(core.setSecret).toHaveBeenCalledWith('bar-password')
+    expect(core.setSecret).toHaveBeenCalledWith('baz-token')
+    expect(core.setSecret).toHaveBeenCalledWith('qux-password')
+    expect(core.setSecret).toHaveBeenCalledWith('qux-token')
+  })
 })
diff --git a/dist/main/index.js b/dist/main/index.js
diff --git a/dist/main/index.js.map b/dist/main/index.js.map
diff --git a/src/api-client.ts b/src/api-client.ts
@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {AxiosInstance} from 'axios'
 import {JobParameters} from './inputs'
 
@@ -58,6 +59,16 @@ export class ApiClient {
       throw new Error(`Unexpected status code: ${res.status}`)
     }
 
+    // Mask any secrets we've just retrieved from Actions logs
+    for (const credential of res.data.data.attributes.credentials) {
+      if (credential.password) {
+        core.setSecret(credential.password)
+      }
+      if (credential.token) {
+        core.setSecret(credential.token)
+      }
+    }
+
     return res.data.data.attributes.credentials
   }