Mask each line of multi-line secrets (#208)

* Mask each line of multi-line secrets * Don't include carriage return characters in masking * Update CHANGELOG.md
2026-04-07 20:50:09 +00:00 · 2021-05-05 11:54:07 +01:00 · 2021-05-05 11:54:07 +01:00 · 3526e1be65
commit 3526e1be65
parent f60544fbda
3 changed files with 46 additions and 2 deletions
--- a/src/action.test.js
+++ b/src/action.test.js
@ -2,6 +2,7 @@ jest.mock('got');
 jest.mock('@actions/core');
 jest.mock('@actions/core/lib/command');

+const command = require('@actions/core/lib/command');
 const core = require('@actions/core');
 const got = require('got');
 const {
@ -294,4 +295,40 @@ describe('exportSecrets', () => {
        expect(core.exportVariable).toBeCalledWith('KEY', '1');
        expect(core.setOutput).toBeCalledWith('key', '1');
    });
+
+    it('single-line secret gets masked', async () => {
+        mockInput('test key');
+        mockVaultData({
+            key: 'secret'
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(command.issue).toBeCalledTimes(1);
+
+        expect(command.issue).toBeCalledWith('add-mask', 'secret');
+        expect(core.setOutput).toBeCalledWith('key', 'secret');
+    })
+
+    it('multi-line secret gets masked for each line', async () => {
+        const multiLineString = `a multi-line string
+
+with blank lines
+
+`
+        mockInput('test key');
+        mockVaultData({
+            key: multiLineString
+        });
+        mockExportToken("false")
+
+        await exportSecrets();
+
+        expect(command.issue).toBeCalledTimes(2); // 1 for each non-empty line.
+
+        expect(command.issue).toBeCalledWith('add-mask', 'a multi-line string');
+        expect(command.issue).toBeCalledWith('add-mask', 'with blank lines');
+        expect(core.setOutput).toBeCalledWith('key', multiLineString);
+    })
 });