Headline
GHSA-h3q2-8whx-c29h: `goreleaser release --debug` shows secrets
Summary
Hello 👋
goreleaser release --debug log shows secret values used in the in the custom publisher.
How to reproduce the issue:
- Define a custom publisher as the one below. Make sure to provide a custom script to the
cmdfield and to provide a secret toenv
#.goreleaser.yml
publishers:
- name: my-publisher
# IDs of the artifacts we want to sign
ids:
- linux_archives
- linux_package
cmd: "./build/package/linux_notarize.sh"
env:
- VERSION={{ .Version }}
- SECRET_1={{.Env.SECRET_1}}
- SECRET_2={{.Env.SECRET_2}}
- run
goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN
Example:
running cmd= ....
SECRET_1=secret_value
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-23840
`goreleaser release --debug` shows secrets
Moderate severity GitHub Reviewed Published Jan 29, 2024 in goreleaser/goreleaser • Updated Jan 30, 2024
Package
gomod github.com/goreleaser/goreleaser (Go)
Affected versions
= 1.23.0
Summary
Hello 👋
goreleaser release --debug log shows secret values used in the in the custom publisher.
How to reproduce the issue:
Define a custom publisher as the one below. Make sure to provide a custom script to the cmd field and to provide a secret to env
#.goreleaser.yml publishers:
- name: my-publisher
IDs of the artifacts we want to sign
ids: - linux_archives - linux_package cmd: "./build/package/linux_notarize.sh" env: - VERSION={{ .Version }} - SECRET_1={{.Env.SECRET_1}} - SECRET_2={{.Env.SECRET_2}}run goreleaser release --debug
You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN
Example:
running cmd= ....
SECRET_1=secret_value
References
- GHSA-h3q2-8whx-c29h
- https://nvd.nist.gov/vuln/detail/CVE-2024-23840
- goreleaser/goreleaser@d5b6a53
Published to the GitHub Advisory Database
Jan 30, 2024
Last updated
Jan 30, 2024