diff --git a/dist/merge/index.js b/dist/merge/index.js index 0d8e05f..dd65428 100644 --- a/dist/merge/index.js +++ b/dist/merge/index.js @@ -5576,6 +5576,7 @@ const generated_1 = __nccwpck_require__(57730); const config_1 = __nccwpck_require__(63890); const user_agent_1 = __nccwpck_require__(269); const errors_1 = __nccwpck_require__(75971); +const util_1 = __nccwpck_require__(33337); class ArtifactHttpClient { constructor(userAgent, maxAttempts, baseRetryIntervalMilliseconds, retryMultiplier) { this.maxAttempts = 5; @@ -5614,35 +5615,6 @@ class ArtifactHttpClient { } }); } - /** - * Masks the `sig` parameter in a URL and sets it as a secret. - * @param url The URL containing the `sig` parameter. - * @returns A masked URL where the sig parameter value is replaced with '***' if found, - * or the original URL if no sig parameter is present. - */ - maskSigUrl(url) { - const sigIndex = url.indexOf('sig='); - if (sigIndex !== -1) { - const sigValue = url.substring(sigIndex + 4); - (0, core_1.setSecret)(sigValue); - return `${url.substring(0, sigIndex + 4)}***`; - } - return url; - } - maskSecretUrls(body) { - if (typeof body === 'object' && body !== null) { - if ('signed_upload_url' in body && - typeof body.signed_upload_url === 'string') { - this.maskSigUrl(body.signed_upload_url); - } - if ('signed_url' in body && typeof body.signed_url === 'string') { - this.maskSigUrl(body.signed_url); - } - } - else { - (0, core_1.debug)('body is not an object or is null'); - } - } retryableRequest(operation) { return __awaiter(this, void 0, void 0, function* () { let attempt = 0; @@ -5657,7 +5629,7 @@ class ArtifactHttpClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); - this.maskSecretUrls(body); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -5975,10 +5947,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getBackendIdsFromToken = void 0; +exports.maskSecretUrls = exports.maskSigUrl = exports.getBackendIdsFromToken = void 0; const core = __importStar(__nccwpck_require__(57818)); const config_1 = __nccwpck_require__(63890); const jwt_decode_1 = __importDefault(__nccwpck_require__(96538)); +const core_1 = __nccwpck_require__(57818); const InvalidJwtError = new Error('Failed to get backend IDs: The provided JWT token is invalid and/or missing claims'); // uses the JWT token claims to get the // workflow run and workflow job run backend ids @@ -6027,6 +6000,138 @@ function getBackendIdsFromToken() { throw InvalidJwtError; } exports.getBackendIdsFromToken = getBackendIdsFromToken; +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * @param url The URL containing the `sig` parameter. + * @returns A masked URL where the sig parameter value is replaced with '***' if found, + * or the original URL if no sig parameter is present. + */ +function maskSigUrl(url) { + if (!url) + return url; + try { + const rawSigRegex = /[?&](sig)=([^&=#]+)/gi; + let match; + while ((match = rawSigRegex.exec(url)) !== null) { + const rawSignature = match[2]; + if (rawSignature) { + (0, core_1.setSecret)(rawSignature); + } + } + let parsedUrl; + try { + parsedUrl = new URL(url); + } + catch (_a) { + try { + parsedUrl = new URL(url, 'https://example.com'); + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url}`); + return maskSigWithRegex(url); + } + } + let masked = false; + const paramNames = Array.from(parsedUrl.searchParams.keys()); + for (const paramName of paramNames) { + if (paramName.toLowerCase() === 'sig') { + const signature = parsedUrl.searchParams.get(paramName); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + parsedUrl.searchParams.set(paramName, '***'); + masked = true; + } + } + } + if (masked) { + return parsedUrl.toString(); + } + if (/([:?&]|^)(sig)=([^&=#]+)/i.test(url)) { + return maskSigWithRegex(url); + } + } + catch (error) { + (0, core_1.debug)(`Error masking URL: ${error instanceof Error ? error.message : String(error)}`); + return maskSigWithRegex(url); + } + return url; +} +exports.maskSigUrl = maskSigUrl; +/** + * Fallback method to mask signatures using regex when URL parsing fails + */ +function maskSigWithRegex(url) { + try { + const regex = /([:?&]|^)(sig)=([^&=#]+)/gi; + return url.replace(regex, (fullMatch, prefix, paramName, value) => { + if (value) { + (0, core_1.setSecret)(value); + try { + (0, core_1.setSecret)(decodeURIComponent(value)); + } + catch (_a) { + // Ignore decoding errors + } + return `${prefix}${paramName}=***`; + } + return fullMatch; + }); + } + catch (error) { + (0, core_1.debug)(`Error in maskSigWithRegex: ${error instanceof Error ? error.message : String(error)}`); + return url; + } +} +/** + * Masks any URLs containing signature parameters in the provided object + * Recursively searches through nested objects and arrays + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + const processUrl = (url) => { + maskSigUrl(url); + }; + const processObject = (obj) => { + if (typeof obj !== 'object' || obj === null) { + return; + } + if (Array.isArray(obj)) { + for (const item of obj) { + if (typeof item === 'string') { + processUrl(item); + } + else if (typeof item === 'object' && item !== null) { + processObject(item); + } + } + return; + } + if ('signed_upload_url' in obj && + typeof obj.signed_upload_url === 'string') { + maskSigUrl(obj.signed_upload_url); + } + if ('signed_url' in obj && typeof obj.signed_url === 'string') { + maskSigUrl(obj.signed_url); + } + for (const key in obj) { + const value = obj[key]; + if (typeof value === 'string') { + if (/([:?&]|^)(sig)=/i.test(value)) { + maskSigUrl(value); + } + } + else if (typeof value === 'object' && value !== null) { + processObject(value); + } + } + }; + processObject(body); +} +exports.maskSecretUrls = maskSecretUrls; //# sourceMappingURL=util.js.map /***/ }), diff --git a/dist/upload/index.js b/dist/upload/index.js index 119703a..b2db52d 100644 --- a/dist/upload/index.js +++ b/dist/upload/index.js @@ -5576,6 +5576,7 @@ const generated_1 = __nccwpck_require__(57730); const config_1 = __nccwpck_require__(63890); const user_agent_1 = __nccwpck_require__(269); const errors_1 = __nccwpck_require__(75971); +const util_1 = __nccwpck_require__(33337); class ArtifactHttpClient { constructor(userAgent, maxAttempts, baseRetryIntervalMilliseconds, retryMultiplier) { this.maxAttempts = 5; @@ -5614,35 +5615,6 @@ class ArtifactHttpClient { } }); } - /** - * Masks the `sig` parameter in a URL and sets it as a secret. - * @param url The URL containing the `sig` parameter. - * @returns A masked URL where the sig parameter value is replaced with '***' if found, - * or the original URL if no sig parameter is present. - */ - maskSigUrl(url) { - const sigIndex = url.indexOf('sig='); - if (sigIndex !== -1) { - const sigValue = url.substring(sigIndex + 4); - (0, core_1.setSecret)(sigValue); - return `${url.substring(0, sigIndex + 4)}***`; - } - return url; - } - maskSecretUrls(body) { - if (typeof body === 'object' && body !== null) { - if ('signed_upload_url' in body && - typeof body.signed_upload_url === 'string') { - this.maskSigUrl(body.signed_upload_url); - } - if ('signed_url' in body && typeof body.signed_url === 'string') { - this.maskSigUrl(body.signed_url); - } - } - else { - (0, core_1.debug)('body is not an object or is null'); - } - } retryableRequest(operation) { return __awaiter(this, void 0, void 0, function* () { let attempt = 0; @@ -5657,7 +5629,7 @@ class ArtifactHttpClient { (0, core_1.debug)(`[Response] - ${response.message.statusCode}`); (0, core_1.debug)(`Headers: ${JSON.stringify(response.message.headers, null, 2)}`); const body = JSON.parse(rawBody); - this.maskSecretUrls(body); + (0, util_1.maskSecretUrls)(body); (0, core_1.debug)(`Body: ${JSON.stringify(body, null, 2)}`); if (this.isSuccessStatusCode(statusCode)) { return { response, body }; @@ -5975,10 +5947,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.getBackendIdsFromToken = void 0; +exports.maskSecretUrls = exports.maskSigUrl = exports.getBackendIdsFromToken = void 0; const core = __importStar(__nccwpck_require__(57818)); const config_1 = __nccwpck_require__(63890); const jwt_decode_1 = __importDefault(__nccwpck_require__(96538)); +const core_1 = __nccwpck_require__(57818); const InvalidJwtError = new Error('Failed to get backend IDs: The provided JWT token is invalid and/or missing claims'); // uses the JWT token claims to get the // workflow run and workflow job run backend ids @@ -6027,6 +6000,138 @@ function getBackendIdsFromToken() { throw InvalidJwtError; } exports.getBackendIdsFromToken = getBackendIdsFromToken; +/** + * Masks the `sig` parameter in a URL and sets it as a secret. + * @param url The URL containing the `sig` parameter. + * @returns A masked URL where the sig parameter value is replaced with '***' if found, + * or the original URL if no sig parameter is present. + */ +function maskSigUrl(url) { + if (!url) + return url; + try { + const rawSigRegex = /[?&](sig)=([^&=#]+)/gi; + let match; + while ((match = rawSigRegex.exec(url)) !== null) { + const rawSignature = match[2]; + if (rawSignature) { + (0, core_1.setSecret)(rawSignature); + } + } + let parsedUrl; + try { + parsedUrl = new URL(url); + } + catch (_a) { + try { + parsedUrl = new URL(url, 'https://example.com'); + } + catch (error) { + (0, core_1.debug)(`Failed to parse URL: ${url}`); + return maskSigWithRegex(url); + } + } + let masked = false; + const paramNames = Array.from(parsedUrl.searchParams.keys()); + for (const paramName of paramNames) { + if (paramName.toLowerCase() === 'sig') { + const signature = parsedUrl.searchParams.get(paramName); + if (signature) { + (0, core_1.setSecret)(signature); + (0, core_1.setSecret)(encodeURIComponent(signature)); + parsedUrl.searchParams.set(paramName, '***'); + masked = true; + } + } + } + if (masked) { + return parsedUrl.toString(); + } + if (/([:?&]|^)(sig)=([^&=#]+)/i.test(url)) { + return maskSigWithRegex(url); + } + } + catch (error) { + (0, core_1.debug)(`Error masking URL: ${error instanceof Error ? error.message : String(error)}`); + return maskSigWithRegex(url); + } + return url; +} +exports.maskSigUrl = maskSigUrl; +/** + * Fallback method to mask signatures using regex when URL parsing fails + */ +function maskSigWithRegex(url) { + try { + const regex = /([:?&]|^)(sig)=([^&=#]+)/gi; + return url.replace(regex, (fullMatch, prefix, paramName, value) => { + if (value) { + (0, core_1.setSecret)(value); + try { + (0, core_1.setSecret)(decodeURIComponent(value)); + } + catch (_a) { + // Ignore decoding errors + } + return `${prefix}${paramName}=***`; + } + return fullMatch; + }); + } + catch (error) { + (0, core_1.debug)(`Error in maskSigWithRegex: ${error instanceof Error ? error.message : String(error)}`); + return url; + } +} +/** + * Masks any URLs containing signature parameters in the provided object + * Recursively searches through nested objects and arrays + */ +function maskSecretUrls(body) { + if (typeof body !== 'object' || body === null) { + (0, core_1.debug)('body is not an object or is null'); + return; + } + const processUrl = (url) => { + maskSigUrl(url); + }; + const processObject = (obj) => { + if (typeof obj !== 'object' || obj === null) { + return; + } + if (Array.isArray(obj)) { + for (const item of obj) { + if (typeof item === 'string') { + processUrl(item); + } + else if (typeof item === 'object' && item !== null) { + processObject(item); + } + } + return; + } + if ('signed_upload_url' in obj && + typeof obj.signed_upload_url === 'string') { + maskSigUrl(obj.signed_upload_url); + } + if ('signed_url' in obj && typeof obj.signed_url === 'string') { + maskSigUrl(obj.signed_url); + } + for (const key in obj) { + const value = obj[key]; + if (typeof value === 'string') { + if (/([:?&]|^)(sig)=/i.test(value)) { + maskSigUrl(value); + } + } + else if (typeof value === 'object' && value !== null) { + processObject(value); + } + } + }; + processObject(body); +} +exports.maskSecretUrls = maskSecretUrls; //# sourceMappingURL=util.js.map /***/ }),