crazywhalecc/static-php-cli
1
0
Fork 0
mirror of https://github.com/crazywhalecc/static-php-cli.git synced 2026-03-18 04:44:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add log filtering to prevent sensitive data leakage

Browse Source
This commit is contained in:
crazywhalecc 2026-03-05 08:17:41 +08:00
parent f7277cc012
commit 715f33ac4d
No known key found for this signature in database
GPG Key ID: 1F4BDD59391F2680
5 changed files with 43 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/StaticPHP/Artifact/Downloader/Type/GitHubTokenSetupTrait.php
View File

@ -16,10 +16,12 @@ trait GitHubTokenSetupTrait
// GITHUB_TOKEN support // GITHUB_TOKEN support
if (($token = getenv('GITHUB_TOKEN')) !== false && ($user = getenv('GITHUB_USER')) !== false) { if (($token = getenv('GITHUB_TOKEN')) !== false && ($user = getenv('GITHUB_USER')) !== false) {
logger()->debug("Using 'GITHUB_TOKEN' with user {$user} for authentication"); logger()->debug("Using 'GITHUB_TOKEN' with user {$user} for authentication");
spc_add_log_filter([$user, $token]);
return ['Authorization: Basic ' . base64_encode("{$user}:{$token}")]; return ['Authorization: Basic ' . base64_encode("{$user}:{$token}")];
} }
if (($token = getenv('GITHUB_TOKEN')) !== false) { if (($token = getenv('GITHUB_TOKEN')) !== false) {
logger()->debug("Using 'GITHUB_TOKEN' for authentication"); logger()->debug("Using 'GITHUB_TOKEN' for authentication");
spc_add_log_filter($token);
return ["Authorization: Bearer {$token}"]; return ["Authorization: Bearer {$token}"];
} }
return []; return [];

2
src/StaticPHP/Exception/ExceptionHandler.php
View File

@ -115,7 +115,7 @@ class ExceptionHandler
$msg = explode("\n", (string) $message); $msg = explode("\n", (string) $message);
foreach ($msg as $v) { foreach ($msg as $v) {
$line = str_pad($v, strlen($v) + $indent_space, ' ', STR_PAD_LEFT); $line = str_pad($v, strlen($v) + $indent_space, ' ', STR_PAD_LEFT);
fwrite($spc_log, strip_ansi_colors($line) . PHP_EOL); spc_write_log($spc_log, strip_ansi_colors($line) . PHP_EOL);
if ($output_log) { if ($output_log) {
InteractiveTerm::plain(ConsoleColor::$color($line) . '', 'error'); InteractiveTerm::plain(ConsoleColor::$color($line) . '', 'error');
} }

26
src/StaticPHP/Runtime/Shell/Shell.php
View File

@ -114,22 +114,22 @@ abstract class Shell
if (!$this->enable_log_file) { if (!$this->enable_log_file) {
return; return;
} }
// write executed command to log file using fwrite // write executed command to log file using spc_write_log
$log_file = fopen(SPC_SHELL_LOG, 'a'); $log_file = fopen(SPC_SHELL_LOG, 'a');
fwrite($log_file, "\n>>>>>>>>>>>>>>>>>>>>>>>>>> [" . date('Y-m-d H:i:s') . "]\n"); spc_write_log($log_file, "\n>>>>>>>>>>>>>>>>>>>>>>>>>> [" . date('Y-m-d H:i:s') . "]\n");
fwrite($log_file, "> Executing command: {$cmd}\n"); spc_write_log($log_file, "> Executing command: {$cmd}\n");
// get the backtrace to find the file and line number // get the backtrace to find the file and line number
$backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 2); $backtrace = debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS, 2);
if (isset($backtrace[1]['file'], $backtrace[1]['line'])) { if (isset($backtrace[1]['file'], $backtrace[1]['line'])) {
$file = $backtrace[1]['file']; $file = $backtrace[1]['file'];
$line = $backtrace[1]['line']; $line = $backtrace[1]['line'];
fwrite($log_file, "> Called from: {$file} at line {$line}\n"); spc_write_log($log_file, "> Called from: {$file} at line {$line}\n");
} }
fwrite($log_file, "> Environment variables: {$this->getEnvString()}\n"); spc_write_log($log_file, "> Environment variables: {$this->getEnvString()}\n");
if ($this->cd !== null) { if ($this->cd !== null) {
fwrite($log_file, "> Working dir: {$this->cd}\n"); spc_write_log($log_file, "> Working dir: {$this->cd}\n");
} }
fwrite($log_file, "\n"); spc_write_log($log_file, "\n");
} }
/** /**
@ -154,7 +154,7 @@ abstract class Shell
): array { ): array {
$file_res = null; $file_res = null;
if ($this->enable_log_file) { if ($this->enable_log_file) {
// write executed command to the log file using fwrite // write executed command to the log file using spc_write_log
$file_res = fopen(SPC_SHELL_LOG, 'a'); $file_res = fopen(SPC_SHELL_LOG, 'a');
} }
if ($console_output) { if ($console_output) {
@ -194,10 +194,10 @@ abstract class Shell
foreach ([$pipes[1], $pipes[2]] as $pipe) { foreach ([$pipes[1], $pipes[2]] as $pipe) {
while (($chunk = fread($pipe, 8192)) !== false && $chunk !== '') { while (($chunk = fread($pipe, 8192)) !== false && $chunk !== '') {
if ($console_output) { if ($console_output) {
fwrite($console_res, $chunk); spc_write_log($console_res, $chunk);
} }
if ($file_res !== null) { if ($file_res !== null) {
fwrite($file_res, $chunk); spc_write_log($file_res, $chunk);
} }
if ($capture_output) { if ($capture_output) {
$output_value .= $chunk; $output_value .= $chunk;
@ -207,7 +207,7 @@ abstract class Shell
// check exit code // check exit code
if ($throw_on_error && $status['exitcode'] !== 0) { if ($throw_on_error && $status['exitcode'] !== 0) {
if ($file_res !== null) { if ($file_res !== null) {
fwrite($file_res, "Command exited with non-zero code: {$status['exitcode']}\n"); spc_write_log($file_res, "Command exited with non-zero code: {$status['exitcode']}\n");
} }
throw new ExecutionException( throw new ExecutionException(
cmd: $original_command ?? $cmd, cmd: $original_command ?? $cmd,
@ -238,10 +238,10 @@ abstract class Shell
foreach ($read as $pipe) { foreach ($read as $pipe) {
while (($chunk = fread($pipe, 8192)) !== false && $chunk !== '') { while (($chunk = fread($pipe, 8192)) !== false && $chunk !== '') {
if ($console_output) { if ($console_output) {
fwrite($console_res, $chunk); spc_write_log($console_res, $chunk);
} }
if ($file_res !== null) { if ($file_res !== null) {
fwrite($file_res, $chunk); spc_write_log($file_res, $chunk);
} }
if ($capture_output) { if ($capture_output) {
$output_value .= $chunk; $output_value .= $chunk;

2
src/bootstrap.php
View File

@ -52,7 +52,7 @@ if (filter_var(getenv('SPC_ENABLE_LOG_FILE'), FILTER_VALIDATE_BOOLEAN)) {
$log_file_fd = fopen(SPC_OUTPUT_LOG, 'a'); $log_file_fd = fopen(SPC_OUTPUT_LOG, 'a');
$ob_logger->addLogCallback(function ($level, $output) use ($log_file_fd) { $ob_logger->addLogCallback(function ($level, $output) use ($log_file_fd) {
if ($log_file_fd) { if ($log_file_fd) {
fwrite($log_file_fd, strip_ansi_colors($output) . "\n"); spc_write_log($log_file_fd, strip_ansi_colors($output) . "\n");
} }
return true; return true;
}); });

26
src/globals/functions.php
View File

@ -132,6 +132,32 @@ function patch_point(): string
return ''; return '';
} }
// Add log filter value(s) to prevent secret leak
function spc_add_log_filter(array|string $filter): void
{
global $spc_log_filters;
if (!is_array($spc_log_filters)) {
$spc_log_filters = [];
}
if (is_string($filter)) {
if (!in_array($filter, $spc_log_filters, true)) {
$spc_log_filters[] = $filter;
}
} elseif (is_array($filter)) {
$spc_log_filters = array_values(array_unique(array_merge($spc_log_filters, $filter)));
}
}
function spc_write_log(mixed $stream, string $data): false|int
{
// get filter
global $spc_log_filters;
if (is_array($spc_log_filters)) {
$data = str_replace($spc_log_filters, '***', $data);
}
return fwrite($stream, $data);
}
function patch_point_interrupt(int $retcode, string $msg = ''): InterruptException function patch_point_interrupt(int $retcode, string $msg = ''): InterruptException
{ {
return new InterruptException(message: $msg, code: $retcode); return new InterruptException(message: $msg, code: $retcode);