GHSA-f6mm-5fc7-3g3c

Source
https://github.com/advisories/GHSA-f6mm-5fc7-3g3c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-f6mm-5fc7-3g3c/GHSA-f6mm-5fc7-3g3c.json
Published
2024-05-15T17:17:10Z
Modified
2024-05-15T17:17:10Z
Summary
goreleaser shows environment by default
Details

Summary

Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.

PoC

  • Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete $GOPATH/pkg).
  • Make sure to have secrets set in the environment
  • Make sure to not have go mod tidy in a before hook
  • Run goreleaser release --clean
  • Go prints lots of go: downloading ... lines, which triggers the "if output not empty, log it" line, which includes the environment.

Impact

Credentials and tokens are leaked.

References

Affected packages

Go / github.com/goreleaser/goreleaser

Affected ranges

Type
SEMVER
Events
Introduced
1.26.0
Fixed
1.26.1

Affected versions

1.*

1.26.0