Skip to content

Remote taskfile could potentially expose secrets #2100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
skoblenick opened this issue Mar 7, 2025 · 2 comments · May be fixed by #2045
Open

Remote taskfile could potentially expose secrets #2100

skoblenick opened this issue Mar 7, 2025 · 2 comments · May be fixed by #2045
Labels
area: remote Changes related to remote taskfiles.

Comments

@skoblenick
Copy link

Description

I understand this is an experimental feature but the log/warning messages to console should not expose secrets or tokens as plain text. If this is execute by scripts or in a CI environment it could potentially expose the secret tokens or end up in historical logs.

when running with:

export TASK_X_REMOTE_TASKFILES=1
task -y my-task

the following output is echoed to terminal:

The task you are attempting to run depends on the remote Taskfile at "https://ghp_<secret>@raw.githubusercontent.com/username/taskfile/main/Taskfile.yml".
--- Make sure you trust the source of this Taskfile before continuing ---
Continue? [assuming yes]

Ideally, sensitive values would be masked in the output. At minimum there needs to be a way to suppress the warning with an environment variable. The -s (--silence) flag doesn't hide this message either; i.e. task -y -s my-task. An environment variable seems the most logical IMO to ensure the flag isn't missed in scripts and would handle exposure at the repo/system level.

Version

3.41.0

Operating system

MacOS

Experiments Enabled

Remote Taskfiles

Example Taskfile

version: "3"

includes:
  git: https://{{.GH_TOKEN}}@raw.githubusercontent.com/username/taskfile/main/Taskfile.yml

tasks:
   my-task:
     cmds:
        - tasks: git
@task-bot task-bot added the state: needs triage Waiting to be triaged by a maintainer. label Mar 7, 2025
@pd93 pd93 added area: remote Changes related to remote taskfiles. and removed state: needs triage Waiting to be triaged by a maintainer. labels Mar 12, 2025
@pd93 pd93 linked a pull request Mar 12, 2025 that will close this issue
Remote Taskfiles: redact credentials of remote URLs in prompts and logs #2045
Open
@pd93
Copy link
Member

pd93 commented Mar 12, 2025

Hi @skoblenick. Thanks for making the ticket. This has been mentioned before and @iwittkau has been working on fixing this in #2045. I've linked the PR to this ticket and updated the experiment issue too.

@iwittkau
Copy link
Contributor

Yes, I'm currently testing this with my remote Taskfiles setup.

There were some bugs, but it seems like #2007 fixed them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: remote Changes related to remote taskfiles.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remote Taskfiles: redact credentials of remote URLs in prompts and logs iwittkau/task
4 participants
@skoblenick @iwittkau @pd93 @task-bot