goreleaser shows environment by default

2024-05-1517:17:10

Google

osv.dev

goreleaser

environment leak

info level

debug level

go build

environment

secrets

go mod tidy

credentials

tokens

software

7 High

AI Score

Confidence

Low

JSON

Summary

Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.

PoC

Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete $GOPATH/pkg).
Make sure to have secrets set in the environment
Make sure to not have go mod tidy in a before hook
Run goreleaser release --clean
Go prints lots of go: downloading ... lines, which triggers the “if output not empty, log it” line, which includes the environment.

Impact

Credentials and tokens are leaked.

CPENameOperatorVersion
github.com/goreleaser/goreleasereq1.26.0

CPE	Name	Operator	Version
	github.com/goreleaser/goreleaser	eq	1.26.0

References

github.com/goreleaser/goreleaser

github.com/goreleaser/goreleaser/commit/22f734e41f7a5111a031a3a4eb714c1b6aa6456b

github.com/goreleaser/goreleaser/pull/4787

github.com/goreleaser/goreleaser/security/advisories/GHSA-f6mm-5fc7-3g3c

7 High

AI Score

Confidence

Low

JSON