Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hide Netlify Build "Flags" information when debug is not true #5441

Open
1 task
imballinst opened this issue Dec 11, 2023 · 1 comment
Open
1 task

Hide Netlify Build "Flags" information when debug is not true #5441

imballinst opened this issue Dec 11, 2023 · 1 comment
Labels
stale type: feature code contributing to the implementation of a feature and/or user facing functionality

Comments

@imballinst
Copy link

Which problem is this feature request solving?

Summary

With netlify-cli@17, Netlify deploy information (NETLIFY_AUTH_TOKEN, most importantly) is exposed when running netlify deploy when logging the "Flags" section. Impact maybe quite severe if the project is open source as people might gain access to the Netlify site using the NETLIFY_AUTH_TOKEN since the "Flags" section also contain the Netlify Site ID.

Details

I tried running this command in my local and my CI:

yarn netlify deploy --auth <NETLIFY_AUTH_TOKEN>

Both will emit this:

Deploying to draft URL...
- Uploading blobs to deploy store...
- Hashing files...
​
Netlify Build                                                 
────────────────────────────────────────────────────────────────
​
❯ Version
  @netlify/build 29.31.0
​
❯ Flags
  alias: poc-netlify
  auth: <my-token>
  deployId: <my-deploy-id>
  open: false
  prod: false
  prodIfUnlocked: false
  site: <my-site-id>
  skipFunctionsCache: false
​
❯ Current directory
  /tmp/pipelines/5709237889/1099815694/folder-name
​
❯ Config file
  /tmp/pipelines/5709237889/1099815694/folder-name/netlify.toml
​
❯ Context
  dev
✔ Finished uploading blobs to deploy store
✔ Finished hashing 

This behavior does not happen in netlify-cli@16.

PoC

Assuming we're using *nix:

  1. mkdir -p test-netlify-cli/build
  2. yarn init -y (or npm)
  3. touch netlify.toml --> then fill it with [build] publish = "build"
  4. yarn add -D --exact netlify-cli@^17
  5. Add NETLIFY_SITE_ID and NETLIFY_AUTH_TOKEN environment variables (you can maybe use your existing test site)
  6. Do yarn deploy
  7. See the "Netlify Build" logs section and it will output auth: ... as plain text

Example log using netlify-cli@16: https://github.com/imballinst/imballinst.dev/actions/runs/7135903131/job/19433489618. As we could see, there are no logs as pasted in the previous section.

Considering in the Netlify CLI we have debug option, I think the "Flags" section at least should only be logged when debug=true. Otherwise, in public GitHub Actions, it's very possible that the auth token is exposed. Or not?

Let me know if my understanding is incorrect. Thanks!

Describe the solution you'd like

Only log the "Flags" section when netlify-cli passes debug=true.

Pull request (optional)

  • I can submit a pull request.
@imballinst imballinst added the type: feature code contributing to the implementation of a feature and/or user facing functionality label Dec 11, 2023
Copy link
Contributor

This issue has been automatically marked as stale because it has not had activity in 1 year. It will be closed in 14 days if no further activity occurs. Thanks!

@github-actions github-actions bot added the stale label Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale type: feature code contributing to the implementation of a feature and/or user facing functionality
Projects
None yet
Development

No branches or pull requests

1 participant