Hide Netlify Build "Flags" information when debug
is not true
#5441
Labels
type: feature
code contributing to the implementation of a feature and/or user facing functionality
Which problem is this feature request solving?
Summary
With
netlify-cli@17
, Netlify deploy information (NETLIFY_AUTH_TOKEN
, most importantly) is exposed when runningnetlify deploy
when logging the "Flags" section. Impact maybe quite severe if the project is open source as people might gain access to the Netlify site using theNETLIFY_AUTH_TOKEN
since the "Flags" section also contain the Netlify Site ID.Details
I tried running this command in my local and my CI:
Both will emit this:
This behavior does not happen in
netlify-cli@16
.PoC
Assuming we're using *nix:
mkdir -p test-netlify-cli/build
yarn init -y
(ornpm
)touch netlify.toml
--> then fill it with[build] publish = "build"
yarn add -D --exact netlify-cli@^17
NETLIFY_SITE_ID
andNETLIFY_AUTH_TOKEN
environment variables (you can maybe use your existing test site)yarn deploy
auth: ...
as plain textExample log using
netlify-cli@16
: https://github.com/imballinst/imballinst.dev/actions/runs/7135903131/job/19433489618. As we could see, there are no logs as pasted in the previous section.Considering in the Netlify CLI we have
debug
option, I think the "Flags" section at least should only be logged whendebug=true
. Otherwise, in public GitHub Actions, it's very possible that the auth token is exposed. Or not?Let me know if my understanding is incorrect. Thanks!
Describe the solution you'd like
Only log the "Flags" section when
netlify-cli
passesdebug=true
.Pull request (optional)
The text was updated successfully, but these errors were encountered: