tl;dr- 要停止屏蔽,您需要停止引用任何等于值的操作秘密{
and }
.
长版
如果您首先创建两个,我可以使用此 GitHub Actions 工作流程文件重现该行为行动的秘密属于您的工作流程范围(即在存储库或组织级别):
行动的秘密
Secret Name |
Value |
LEFT_CURLY |
{ |
RIGHT_CURLY |
} |
myWorkflow.yaml
有趣的是activate-masking
step...
name: myWorkflow
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: define-output
name: define output
shell: pwsh
run: |
$array1 = @(
[pscustomobject] @{
"variable1" = "hello1"
},
[pscustomobject] @{
"variable1" = "hello2"
}
);
write-host "::set-output name=myjson::$( $array1 | ConvertTo-JSON -Compress)"
- id: activate-masking
name: activate masking
shell: pwsh
run: |
# referencing a secret anywhere in a step activates
# log masking for its value in the *entire* workflow
write-host "left = '${{ secrets.LEFT_CURLY}}'"
write-host "right = '${{ secrets.RIGHT_CURLY }}'"
- id: consume-output
name: consume output
shell: pwsh
run: |
# decode and re-encode the data to remove "compressed"
# output format as noted by @mklement0 in comments
$json = '${{ steps.define-output.outputs.myjson }}'
$data = $json | ConvertFrom-Json
# write the json to the log output. if masking is activate
# then any secrets in the output will be masked with "***"
write-host ($data| ConvertTo-Json)
# encode the json so it bypasses masking and we can get the true
# value contained in the variable
write-host "base64 = '$([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($json)))'"
“消耗输出”步骤的输出如下:
[v] consume output
1 Run write-host "left = '***'"
9 left = '***'
10 right = '***'
11 [
12 ***
13 "variable1": "hello1"
14 ***,
15 ***
16 "variable1": "hello2"
17 ***
18 ]
19 base64 = 'W3sidmFyaWFibGUxIjoiaGVsbG8xIn0seyJ2YXJpYWJsZTEiOiJoZWxsbzIifV0='
请注意,***
掩蔽是添加到仅日志文件,而不是变量值本身。如果您解码 Base64 字符串,您最终会得到:
[{"variable1":"hello1"},{"variable1":"hello2"}]
所以你可以看到变量的值符合预期。
另请注意,仅当秘密存在时才会发生屏蔽引用的在一个步骤中 - 例如,如果您从activate-masking
步骤它将停止屏蔽值,即使工作流范围中仍然定义了 Secrets:
# remove these lines to stop masking their values
# write-host "left = '${{ secrets.LEFT_CURLY}}'"
# write-host "right = '${{ secrets.RIGHT_CURLY }}'"
要停止屏蔽,您需要停止引用任何等于值的操作秘密{
and }
.
奖金回合
请注意,由于恶意输入,我的操作中存在一个针对特制 json 值的注入漏洞 - 例如,如果我可以somehow使 json 中的 variable1 的值最终成为这个神秘的字符串(例如,通过将其作为用户输入提供给您):
}]';write-host aaa;$y='
那么上面的 Action 将执行这个 PowerShell:
$json = '[{"variable1":"}]';write-host aaa;$y='}]'
这相当于
$json = '[{"variable1":"}]';
write-host aaa;
$y='}]'
它实际上会执行write-host aaa;
作为命令而不是将其视为输入数据。
为了避免这种情况,你might想要考虑将输出作为 base64 编码的字符串传递 - 例如
- id: define-output
...
$base64 = [System.Convert]::ToBase64String(
[System.Text.Encoding]::UTF8.GetBytes(
($array1 | ConvertTo-JSON -Compress)
)
)
write-host "::set-output name=myjson::$base64"
- id: consume-output
...
$base64 = '${{ steps.define-output.outputs.myjson }}'
$json = [System.Text.Encoding]::UTF8.GetString(
[System.Convert]::FromBase64String(
$base64
)
)
这样,您的 json 数据就不会无意中提升为作为代码执行...