未验证 提交 449d0430 编辑于 作者: Mike McQuaid's avatar Mike McQuaid 提交者: GitHub
浏览文件

Merge pull request #12414 from alebcay/create_github_pr_redact_secrets

GitHub.create_bump_pr: don't leak GitHub token if set via environment variable
......@@ -53,10 +53,10 @@ class SystemCommand
each_output_line do |type, line|
case type
when :stdout
$stdout << line if print_stdout?
$stdout << redact_secrets(line, @secrets) if print_stdout?
@output << [:stdout, line]
when :stderr
$stderr << line if print_stderr?
$stderr << redact_secrets(line, @secrets) if print_stderr?
@output << [:stderr, line]
end
end
......
......@@ -282,6 +282,30 @@ describe SystemCommand do
end
end
context "when running a process that prints secrets" do
it "does not leak the secrets" do
redacted_msg = /#{Regexp.escape("username:******")}/
expect {
described_class.run! "echo",
args: %w[username:hunter2],
verbose: true,
print_stdout: true,
secrets: %w[hunter2]
}.to output(redacted_msg).to_stdout
end
it "does not leak the secrets set by environment" do
redacted_msg = /#{Regexp.escape("username:******")}/
expect {
ENV["PASSWORD"] = "hunter2"
described_class.run! "echo",
args: %w[username:hunter2],
print_stdout: true,
verbose: true
}.to output(redacted_msg).to_stdout
end
end
context "when a `SIGINT` handler is set in the parent process" do
it "is not interrupted" do
start_time = Time.now
......
......@@ -5,12 +5,16 @@ require "uri"
require "utils/github/actions"
require "utils/github/api"
require "system_command"
# Wrapper functions for the GitHub API.
#
# @api private
module GitHub
extend T::Sig
include SystemCommand::Mixin
module_function
def check_runs(repo: nil, commit: nil, pr: nil)
......@@ -530,7 +534,8 @@ module GitHub
"--", *changed_files
return if args.commit?
safe_system "git", "push", "--set-upstream", remote_url, "#{branch}:#{branch}"
system_command!("git", args: ["push", "--set-upstream", remote_url, "#{branch}:#{branch}"],
print_stdout: true)
safe_system "git", "checkout", "--quiet", previous_branch
pr_message = <<~EOS
#{pr_message}
......
支持 Markdown
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册