GHSA-h3q2-8whx-c29h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h3q2-8whx-c29h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-h3q2-8whx-c29h/GHSA-h3q2-8whx-c29h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h3q2-8whx-c29h
- Aliases
- Related
- Published
- 2024-01-30T20:57:52Z
- Modified
- 2024-03-04T18:45:24Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- `goreleaser release --debug` shows secrets
- Details
-
Summary
Hello 👋
goreleaser release --debuglog shows secret values used in the in the custom publisher.How to reproduce the issue:
Define a custom publisher as the one below. Make sure to provide a custom script to the
cmdfield and to provide a secret toenv#.goreleaser.yml publishers: - name: my-publisher # IDs of the artifacts we want to sign ids: - linux_archives - linux_package cmd: "./build/package/linux_notarize.sh" env: - VERSION={{ .Version }} - SECRET_1={{.Env.SECRET_1}} - SECRET_2={{.Env.SECRET_2}}run
goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the
GITHUB_TOKENExample:
running cmd= .... SECRET_1=secret_value - Database specific
{ "nvd_published_at": "2024-01-30T17:15:11Z", "cwe_ids": [ "CWE-532" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-30T20:57:52Z" }- References
Affected packages
Go / github.com/goreleaser/goreleaser
Package
- Name
- github.com/goreleaser/goreleaser
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/goreleaser/goreleaser