build icon indicating copy to clipboard operation
build copied to clipboard

Published 20 hours ago verified publisher icon netlify

Hide Netlify Build "Flags" information when `debug` is not true

Open imballinst opened this issue 1 year ago • 3 comments

Which problem is this feature request solving?

Summary

With netlify-cli@17, Netlify deploy information (NETLIFY_AUTH_TOKEN, most importantly) is exposed when running netlify deploy when logging the "Flags" section. Impact maybe quite severe if the project is open source as people might gain access to the Netlify site using the NETLIFY_AUTH_TOKEN since the "Flags" section also contain the Netlify Site ID.

Details

I tried running this command in my local and my CI:

yarn netlify deploy --auth <NETLIFY_AUTH_TOKEN>

Both will emit this:

Deploying to draft URL...
- Uploading blobs to deploy store...
- Hashing files...
​
Netlify Build                                                 
────────────────────────────────────────────────────────────────
​
❯ Version
  @netlify/build 29.31.0
​
❯ Flags
  alias: poc-netlify
  auth: <my-token>
  deployId: <my-deploy-id>
  open: false
  prod: false
  prodIfUnlocked: false
  site: <my-site-id>
  skipFunctionsCache: false
​
❯ Current directory
  /tmp/pipelines/5709237889/1099815694/folder-name
​
❯ Config file
  /tmp/pipelines/5709237889/1099815694/folder-name/netlify.toml
​
❯ Context
  dev
✔ Finished uploading blobs to deploy store
✔ Finished hashing

This behavior does not happen in netlify-cli@16.

PoC

Assuming we're using *nix:

  1. mkdir -p test-netlify-cli/build
  2. yarn init -y (or npm)
  3. touch netlify.toml --> then fill it with [build] publish = "build"
  4. yarn add -D --exact netlify-cli@^17
  5. Add NETLIFY_SITE_ID and NETLIFY_AUTH_TOKEN environment variables (you can maybe use your existing test site)
  6. Do yarn deploy
  7. See the "Netlify Build" logs section and it will output auth: ... as plain text

Example log using netlify-cli@16: https://github.com/imballinst/imballinst.dev/actions/runs/7135903131/job/19433489618. As we could see, there are no logs as pasted in the previous section.

Considering in the Netlify CLI we have debug option, I think the "Flags" section at least should only be logged when debug=true. Otherwise, in public GitHub Actions, it's very possible that the auth token is exposed. Or not?

Let me know if my understanding is incorrect. Thanks!

Describe the solution you'd like

Only log the "Flags" section when netlify-cli passes debug=true.

Pull request (optional)

  • [ ] I can submit a pull request.

imballinst avatar Dec 11 '23 02:12 imballinst