diff --git a/src/Runner.Worker/ActionCommandManager.cs b/src/Runner.Worker/ActionCommandManager.cs
index 33fab1f21..14b1aae27 100644
--- a/src/Runner.Worker/ActionCommandManager.cs
+++ b/src/Runner.Worker/ActionCommandManager.cs
@@ -405,8 +405,9 @@ namespace GitHub.Runner.Worker
Trace.Info($"Add new secret mask with length of {command.Data.Length}");
// Also add each individual line. Typically individual lines are processed from STDOUT of child processes.
- var split = command.Data.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
- foreach (var item in split)
+ var auxiliarySecrets = command.Data.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+ .Where(candidate => candidate.Length >= HostContext.SecretMasker.DerivedSecretRecommendedMinimumLength);
+ foreach (var item in auxiliarySecrets)
{
HostContext.SecretMasker.AddValue(item);
}
diff --git a/src/Runner.Worker/Worker.cs b/src/Runner.Worker/Worker.cs
index 4784c1693..ff00047a3 100644
--- a/src/Runner.Worker/Worker.cs
+++ b/src/Runner.Worker/Worker.cs
@@ -3,10 +3,10 @@ using Pipelines = GitHub.DistributedTask.Pipelines;
using GitHub.Runner.Common.Util;
using Newtonsoft.Json;
using System;
+using System.Linq;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
-using GitHub.Services.WebApi;
using GitHub.Runner.Common;
using GitHub.Runner.Sdk;
using System.Text;
@@ -156,8 +156,9 @@ namespace GitHub.Runner.Worker
HostContext.SecretMasker.AddValue(value);
// Also add each individual line. Typically individual lines are processed from STDOUT of child processes.
- var split = value.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
- foreach (var item in split)
+ var auxiliarySecrets = value.Split(new[] { '\r', '\n' }, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+ .Where(candidate => candidate.Length >= HostContext.SecretMasker.DerivedSecretRecommendedMinimumLength);
+ foreach (var item in auxiliarySecrets)
{
HostContext.SecretMasker.AddValue(item);
}
diff --git a/src/Sdk/DTLogging/Logging/ISecretMasker.cs b/src/Sdk/DTLogging/Logging/ISecretMasker.cs
index 3cbedf1e7..aa13c96c5 100644
--- a/src/Sdk/DTLogging/Logging/ISecretMasker.cs
+++ b/src/Sdk/DTLogging/Logging/ISecretMasker.cs
@@ -6,6 +6,7 @@ namespace GitHub.DistributedTask.Logging
[EditorBrowsable(EditorBrowsableState.Never)]
public interface ISecretMasker
{
+ int DerivedSecretRecommendedMinimumLength { get; }
void AddRegex(String pattern);
void AddValue(String value);
ISecretMasker Clone();
diff --git a/src/Sdk/DTLogging/Logging/SecretMasker.cs b/src/Sdk/DTLogging/Logging/SecretMasker.cs
index f35da202b..5a731721c 100644
--- a/src/Sdk/DTLogging/Logging/SecretMasker.cs
+++ b/src/Sdk/DTLogging/Logging/SecretMasker.cs
@@ -40,6 +40,19 @@ namespace GitHub.DistributedTask.Logging
}
}
+ ///
+ /// Provide callers with a recommendation on what to consider a secret.
+ /// This is helpful in cases where JSON (for example) is broken into multiple lines
+ /// and we don't want to start treating standalone JSON control characters as secrets.
+ ///
+ public int DerivedSecretRecommendedMinimumLength
+ {
+ get
+ {
+ return 3;
+ }
+ }
+
///
/// This implementation assumes no more than one thread is adding regexes, values, or encoders at any given time.
///