fix: prevent secret variable leaks in summary, verbose and key ordering

- mask secret values in `task --summary` (commands and vars listing) - mask resolved value of dynamic (sh) secrets in verbose logs - use masked command for platform-skipped verbose log - allow `secret` key in any position in a var definition (not only first) - add `value` to the JSON schema var definition - skip masking pass when no secret is present and dedup mask helpers - document that the `secret` flag is not propagated to derived variables
2026-06-29 23:55:18 +00:00 · 2026-06-29 12:36:56 +02:00
parent 8545e02e5e
commit da90ecd083
12 changed files with 175 additions and 60 deletions
--- a/taskfile/ast/var.go
+++ b/taskfile/ast/var.go
@@ -19,35 +19,43 @@ type Var struct {
 func (v *Var) UnmarshalYAML(node *yaml.Node) error {
 	switch node.Kind {
 	case yaml.MappingNode:
-		key := "<none>"
-		if len(node.Content) > 0 {
-			key = node.Content[0].Value
+		var m struct {
+			Sh     *string
+			Ref    string
+			Map    any
+			Value  any
+			Secret bool
 		}
-		switch key {
-		case "sh", "ref", "map", "value":
-			var m struct {
-				Sh     *string
-				Ref    string
-				Map    any
-				Value  any
-				Secret bool
-			}
-			if err := node.Decode(&m); err != nil {
-				return errors.NewTaskfileDecodeError(err, node)
-			}
-			v.Sh = m.Sh
-			v.Ref = m.Ref
-			v.Secret = m.Secret
-			// Handle both "map" and "value" keys
-			if m.Map != nil {
-				v.Value = m.Map
-			} else if m.Value != nil {
-				v.Value = m.Value
-			}
-			return nil
-		default:
-			return errors.NewTaskfileDecodeError(nil, node).WithMessage(`%q is not a valid variable type. Try "sh", "ref", "map", "value" or using a scalar value`, key)
+		if err := node.Decode(&m); err != nil {
+			return errors.NewTaskfileDecodeError(err, node)
 		}
+		// Validate the keys regardless of their order: every key must be known
+		// and at least one type-defining key must be present. "secret" is a
+		// modifier, not a type, so it can appear in any position.
+		hasType := false
+		for i := 0; i+1 < len(node.Content); i += 2 {
+			switch node.Content[i].Value {
+			case "sh", "ref", "map", "value":
+				hasType = true
+			case "secret":
+				// modifier, not a type
+			default:
+				return errors.NewTaskfileDecodeError(nil, node).WithMessage(`%q is not a valid variable type. Try "sh", "ref", "map", "value" or using a scalar value`, node.Content[i].Value)
+			}
+		}
+		if !hasType {
+			return errors.NewTaskfileDecodeError(nil, node).WithMessage(`a variable must define one of "sh", "ref", "map", "value" or be a scalar value`)
+		}
+		v.Sh = m.Sh
+		v.Ref = m.Ref
+		v.Secret = m.Secret
+		// Handle both "map" and "value" keys
+		if m.Map != nil {
+			v.Value = m.Map
+		} else if m.Value != nil {
+			v.Value = m.Value
+		}
+		return nil
 	default:
 		var value any
 		if err := node.Decode(&value); err != nil {