Headline
GHSA-f6mm-5fc7-3g3c: goreleaser shows environment by default
Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.
PoC
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete
$GOPATH/pkg). - Make sure to have secrets set in the environment
- Make sure to not have
go mod tidyin a before hook - Run
goreleaser release --clean - Go prints lots of
go: downloading ...lines, which triggers the “if output not empty, log it” line, which includes the environment.
Impact
Credentials and tokens are leaked.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-f6mm-5fc7-3g3c
goreleaser shows environment by default
Moderate severity GitHub Reviewed Published May 15, 2024 in goreleaser/goreleaser • Updated May 15, 2024
Package
gomod github.com/goreleaser/goreleaser (Go)
Affected versions
= 1.26.0
Summary
Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.
PoC
- Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete $GOPATH/pkg).
- Make sure to have secrets set in the environment
- Make sure to not have go mod tidy in a before hook
- Run goreleaser release --clean
- Go prints lots of go: downloading … lines, which triggers the “if output not empty, log it” line, which includes the environment.
Impact
Credentials and tokens are leaked.
References
- GHSA-f6mm-5fc7-3g3c
- goreleaser/goreleaser#4787
- goreleaser/goreleaser@22f734e
Published to the GitHub Advisory Database
May 15, 2024
Last updated
May 15, 2024