npm package diff
Package: @actions/cache
Versions: 4.0.2 - 4.0.3
File: package/lib/internal/shared/util.js
Index: package/lib/internal/shared/util.js
===================================================================
--- package/lib/internal/shared/util.js
+++ package/lib/internal/shared/util.js
@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maskSecretUrls = exports.maskSigUrl = void 0;
+const core_1 = require("@actions/core");
+/**
+ * Masks the `sig` parameter in a URL and sets it as a secret.
+ *
+ * @param url - The URL containing the signature parameter to mask
+ * @remarks
+ * This function attempts to parse the provided URL and identify the 'sig' query parameter.
+ * If found, it registers both the raw and URL-encoded signature values as secrets using
+ * the Actions `setSecret` API, which prevents them from being displayed in logs.
+ *
+ * The function handles errors gracefully if URL parsing fails, logging them as debug messages.
+ *
+ * @example
+ * ```typescript
+ * // Mask a signature in an Azure SAS token URL
+ * maskSigUrl('https://example.blob.core.windows.net/container/file.txt?sig=abc123&se=2023-01-01');
+ * ```
+ */
+function maskSigUrl(url) {
+ if (!url)
+ return;
+ try {
+ const parsedUrl = new URL(url);
+ const signature = parsedUrl.searchParams.get('sig');
+ if (signature) {
+ (0, core_1.setSecret)(signature);
+ (0, core_1.setSecret)(encodeURIComponent(signature));
+ }
+ }
+ catch (error) {
+ (0, core_1.debug)(`Failed to parse URL: ${url} ${error instanceof Error ? error.message : String(error)}`);
+ }
+}
+exports.maskSigUrl = maskSigUrl;
+/**
+ * Masks sensitive information in URLs containing signature parameters.
+ * Currently supports masking 'sig' parameters in the 'signed_upload_url'
+ * and 'signed_download_url' properties of the provided object.
+ *
+ * @param body - The object should contain a signature
+ * @remarks
+ * This function extracts URLs from the object properties and calls maskSigUrl
+ * on each one to redact sensitive signature information. The function doesn't
+ * modify the original object; it only marks the signatures as secrets for
+ * logging purposes.
+ *
+ * @example
+ * ```typescript
+ * const responseBody = {
+ * signed_upload_url: 'https://blob.core.windows.net/?sig=abc123',
+ * signed_download_url: 'https://blob.core/windows.net/?sig=def456'
+ * };
+ * maskSecretUrls(responseBody);
+ * ```
+ */
+function maskSecretUrls(body) {
+ if (typeof body !== 'object' || body === null) {
+ (0, core_1.debug)('body is not an object or is null');
+ return;
+ }
+ if ('signed_upload_url' in body &&
+ typeof body.signed_upload_url === 'string') {
+ maskSigUrl(body.signed_upload_url);
+ }
+ if ('signed_download_url' in body &&
+ typeof body.signed_download_url === 'string') {
+ maskSigUrl(body.signed_download_url);
+ }
+}
+exports.maskSecretUrls = maskSecretUrls;
+//# sourceMappingURL=util.js.map
\ No newline at end of file