feat(pipeline-doctor): assert no set -x in token-bearing ci scripts (#191)
This commit is contained in:
Oleks
@@ -89,6 +89,27 @@ else
|
||||
bad "possible token leak: a token var is echo/printf'd un-redacted, or set -x is enabled"
|
||||
fi
|
||||
|
||||
# 3b. (security sweep, cluster #191) no `set -x` in a TOKEN-BEARING ci/*.sh.
|
||||
# Scoped per-file: a script that references a registry token (REGISTRY_TOKEN /
|
||||
# CI_REGISTRY_TOKEN / an 'Authorization: token' header) must NOT enable xtrace,
|
||||
# which would echo the token to the build log. A `set -x` in a token-free helper
|
||||
# (e.g. a pure version parser) is not flagged here.
|
||||
xtrace_hits=""
|
||||
if [ -d "$REPO/ci" ]; then
|
||||
for s in "$REPO"/ci/*.sh; do
|
||||
[ -f "$s" ] || continue
|
||||
if grep -Eq '(REGISTRY_TOKEN|Authorization: token)' "$s" &&
|
||||
grep -Eq '^[[:space:]]*set -[a-z]*x' "$s"; then
|
||||
xtrace_hits="$xtrace_hits ${s#"$REPO"/}"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
if [ -z "$xtrace_hits" ]; then
|
||||
ok "no set -x in token-bearing ci/*.sh scripts"
|
||||
else
|
||||
bad "set -x in token-bearing ci/*.sh:$xtrace_hits (xtrace would echo the token)"
|
||||
fi
|
||||
|
||||
# 4. dev-tag guard present.
|
||||
if printf '%s' "$token_src" | grep -Eq 'parity_devtag_guard|refusing to publish without an explicit'; then
|
||||
ok "dev-tag guard present"
|
||||
|
||||
Reference in New Issue
Block a user