mirror of
https://github.com/go-task/task.git
synced 2026-07-02 00:54:22 +00:00
fix: prevent secret variable leaks in summary, verbose and key ordering
- mask secret values in `task --summary` (commands and vars listing) - mask resolved value of dynamic (sh) secrets in verbose logs - use masked command for platform-skipped verbose log - allow `secret` key in any position in a var definition (not only first) - add `value` to the JSON schema var definition - skip masking pass when no secret is present and dedup mask helpers - document that the `secret` flag is not propagated to derived variables
This commit is contained in:
18
testdata/secrets/Taskfile.yml
vendored
18
testdata/secrets/Taskfile.yml
vendored
@@ -51,11 +51,29 @@ tasks:
|
||||
- defer: echo "Cleanup with secret={{.DEFERRED_SECRET}} and app={{.APP_NAME}}"
|
||||
- echo "Main command executed"
|
||||
|
||||
test-dynamic-secret-verbose:
|
||||
desc: Test that dynamic (sh) secrets are masked even in verbose logs
|
||||
cmds:
|
||||
- echo "Password is {{.PASSWORD}}"
|
||||
|
||||
test-secret-key-order:
|
||||
desc: Test that "secret" may be declared before the value/sh key
|
||||
vars:
|
||||
SECRET_FIRST:
|
||||
secret: true
|
||||
value: "order-independent-secret"
|
||||
SH_SECRET_FIRST:
|
||||
secret: true
|
||||
sh: "echo 'sh-order-independent-secret'"
|
||||
cmds:
|
||||
- echo "Value={{.SECRET_FIRST}} Sh={{.SH_SECRET_FIRST}}"
|
||||
|
||||
test-env-secret-limitation:
|
||||
desc: Test showing that env vars with secret flag are NOT masked (limitation)
|
||||
env:
|
||||
SECRET_TOKEN:
|
||||
value: "env-secret-token-123"
|
||||
secret: true
|
||||
PUBLIC_ENV: "public-value"
|
||||
cmds:
|
||||
# Templates {{.VAR}} don't work with env - they're empty
|
||||
|
||||
Reference in New Issue
Block a user