notify-microsoft-teams icon indicating copy to clipboard operation
notify-microsoft-teams copied to clipboard
verified publisher icon Skitionek

GH secretes can be returned in notifications

Open Miker91 opened this issue 3 years ago • 3 comments

Hi,

Secrets should not be parsed and returned in the notifications. People may want to use this action having organization-wide secretes which should not be returned in clear text.

Example:

      - uses: actions/checkout@master
      - name: Microsoft Teams Notification
        uses: skitionek/notify-microsoft-teams@master
        if: always()
        with:
          webhook_url: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
          overwrite: "{title: `Overwrote title in ${{ secrets.MS_TEAMS_WEBHOOK_URI }}`}"

Result: image

Miker91 avatar Oct 07 '22 08:10 Miker91

Good point - will take a look into it

Skitionek avatar Feb 02 '23 14:02 Skitionek

I don't think the secrets are evaluated by the eval call. They are already evaluated as part of the overwrite value by GitHub Actions. You need to escape the ${{...}}} in your yaml expression.

Having said that, I guess the eval can leak undesired properties. I would go for a more explicit way to replace the variables you want to support, something like this (untested):

  overwrite.replaceAll(/\$\{(\W+)\}/, (varName) => switch (varName) { 
    case 'workflow_link': return workflow_link
    ...
  });

or

  const vars = { workflow_link, ... };
  overwite.replaceAll(new Regexp(`\$\{(${Object.keys(vars).join('|')})\}`), (varName) => vars[varName]);

oxc avatar May 16 '23 09:05 oxc

@Miker91 @Skitionek I dont see such bug as of now, maybe the bug has been fixed, would you confirm ?

copdips avatar Nov 25 '23 14:11 copdips