actions/ai-inference
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔒 [security fix] Fix sensitive data exposure in logs

Browse Source 
- Change core.info to core.debug for model responses in src/inference.ts
- Change core.info to core.debug for tool execution details in src/mcp.ts
- Change core.info to core.debug for custom header logging in src/helpers.ts
- Remove sensitive response previews from error messages in src/inference.ts
- Update tests to reflect changes from core.info to core.debug
This commit is contained in:
google-labs-jules[bot]
2026-02-24 17:42:20 +00:00
parent a380166897
commit c6c19e0fb7
6 changed files with 25 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
__tests__/helpers.test.ts
View File

@@ -150,9 +150,9 @@ X-Custom-Header: custom-value`
header2: 'value2',
'X-Custom-Header': 'custom-value',
})
expect(core.info).toHaveBeenCalledWith('Custom header added: header1: value1')
expect(core.info).toHaveBeenCalledWith('Custom header added: header2: value2')
expect(core.info).toHaveBeenCalledWith('Custom header added: X-Custom-Header: custom-value')
expect(core.debug).toHaveBeenCalledWith('Custom header added: header1: value1')
expect(core.debug).toHaveBeenCalledWith('Custom header added: header2: value2')
expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Custom-Header: custom-value')
})
it('parses JSON format headers correctly', () => {
@@ -165,9 +165,9 @@ X-Custom-Header: custom-value`
header2: 'value2',
'X-Team': 'engineering',
})
expect(core.info).toHaveBeenCalledWith('Custom header added: header1: value1')
expect(core.info).toHaveBeenCalledWith('Custom header added: header2: value2')
expect(core.info).toHaveBeenCalledWith('Custom header added: X-Team: engineering')
expect(core.debug).toHaveBeenCalledWith('Custom header added: header1: value1')
expect(core.debug).toHaveBeenCalledWith('Custom header added: header2: value2')
expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Team: engineering')
})
it('returns empty object for empty input', () => {
@@ -194,13 +194,13 @@ password: pass123`
})
// Sensitive headers should be masked
expect(core.info).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
expect(core.info).toHaveBeenCalledWith('Custom header added: X-Api-Token: ***MASKED***')
expect(core.info).toHaveBeenCalledWith('Custom header added: Authorization: ***MASKED***')
expect(core.info).toHaveBeenCalledWith('Custom header added: password: ***MASKED***')
expect(core.debug).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
expect(core.debug).toHaveBeenCalledWith('Custom header added: X-Api-Token: ***MASKED***')
expect(core.debug).toHaveBeenCalledWith('Custom header added: Authorization: ***MASKED***')
expect(core.debug).toHaveBeenCalledWith('Custom header added: password: ***MASKED***')
// Non-sensitive headers should not be masked
expect(core.info).toHaveBeenCalledWith('Custom header added: serviceName: my-service')
expect(core.debug).toHaveBeenCalledWith('Custom header added: serviceName: my-service')
})
it('validates header names and skips invalid ones', () => {
@@ -367,8 +367,8 @@ systemID: terraform-ci`
})
// Only the subscription key should be masked
expect(core.info).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
expect(core.info).toHaveBeenCalledWith('Custom header added: serviceName: terraform-plan-workflow')
expect(core.debug).toHaveBeenCalledWith('Custom header added: Ocp-Apim-Subscription-Key: ***MASKED***')
expect(core.debug).toHaveBeenCalledWith('Custom header added: serviceName: terraform-plan-workflow')
})
})
})

4
__tests__/inference.test.ts
View File

@@ -58,7 +58,7 @@ describe('inference.ts', () => {
expect(result).toBe('Hello, user!')
expect(core.info).toHaveBeenCalledWith('Running simple inference without tools')
expect(core.info).toHaveBeenCalledWith('Model response: Hello, user!')
expect(core.debug).toHaveBeenCalledWith('Model response: Hello, user!')
// Verify the request structure
expect(mockCreate).toHaveBeenCalledWith({
@@ -136,7 +136,7 @@ describe('inference.ts', () => {
const result = await simpleInference(mockRequest)
expect(result).toBeNull()
expect(core.info).toHaveBeenCalledWith('Model response: No response content')
expect(core.debug).toHaveBeenCalledWith('Model response: No response content')
})
it('includes response format when specified', async () => {

4
__tests__/mcp.test.ts
View File

@@ -177,8 +177,8 @@ describe('mcp.ts', () => {
name: 'test-tool',
content: JSON.stringify(toolResult.content),
})
expect(core.info).toHaveBeenCalledWith('Executing GitHub MCP tool: test-tool with args: {"param": "value"}')
expect(core.info).toHaveBeenCalledWith('GitHub MCP tool test-tool executed successfully')
expect(core.debug).toHaveBeenCalledWith('Executing GitHub MCP tool: test-tool with args: {"param": "value"}')
expect(core.debug).toHaveBeenCalledWith('GitHub MCP tool test-tool executed successfully')
})
it('handles tool execution errors gracefully', async () => {

4
src/helpers.ts
View File

@@ -143,9 +143,9 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
const lowerName = name.toLowerCase()
const isSensitive = sensitivePatterns.some(pattern => lowerName.includes(pattern))
if (isSensitive) {
core.info(`Custom header added: ${name}: ***MASKED***`)
core.debug(`Custom header added: ${name}: ***MASKED***`)
} else {
core.info(`Custom header added: ${name}: ${stringValue}`)
core.debug(`Custom header added: ${name}: ${stringValue}`)
}
}

10
src/inference.ts
View File

@@ -61,7 +61,7 @@ export async function simpleInference(request: InferenceRequest): Promise<string
const response = await chatCompletion(client, chatCompletionRequest, 'simpleInference')
const modelResponse = response.choices[0]?.message?.content
core.info(`Model response: ${modelResponse || 'No response content'}`)
core.debug(`Model response: ${modelResponse || 'No response content'}`)
return modelResponse || null
}
@@ -116,7 +116,7 @@ export async function mcpInference(
const modelResponse = assistantMessage?.content
const toolCalls = assistantMessage?.tool_calls
core.info(`Model response: ${modelResponse || 'No response content'}`)
core.debug(`Model response: ${modelResponse || 'No response content'}`)
messages.push({
role: 'assistant',
@@ -181,16 +181,14 @@ async function chatCompletion(
try {
response = JSON.parse(response)
} catch (e) {
const preview = response.slice(0, 400)
throw new Error(
`${context}: Chat completion response was a string and not valid JSON (${(e as Error).message}). Preview: ${preview}`,
`${context}: Chat completion response was a string and not valid JSON (${(e as Error).message})`,
)
}
}
if (!response || typeof response !== 'object' || !('choices' in response)) {
const preview = JSON.stringify(response)?.slice(0, 800)
throw new Error(`${context}: Unexpected response shape (no choices). Preview: ${preview}`)
throw new Error(`${context}: Unexpected response shape (no choices)`)
}
return response as OpenAI.Chat.Completions.ChatCompletion

4
src/mcp.ts
View File

@@ -96,7 +96,7 @@ export async function connectToGitHubMCP(token: string, toolsets?: string): Prom
* Execute a single tool call via GitHub MCP
*/
export async function executeToolCall(githubMcpClient: Client, toolCall: ToolCall): Promise<ToolResult> {
core.info(`Executing GitHub MCP tool: ${toolCall.function.name} with args: ${toolCall.function.arguments}`)
core.debug(`Executing GitHub MCP tool: ${toolCall.function.name} with args: ${toolCall.function.arguments}`)
try {
const args = JSON.parse(toolCall.function.arguments)
@@ -106,7 +106,7 @@ export async function executeToolCall(githubMcpClient: Client, toolCall: ToolCal
arguments: args,
})
core.info(`GitHub MCP tool ${toolCall.function.name} executed successfully`)
core.debug(`GitHub MCP tool ${toolCall.function.name} executed successfully`)
return {
tool_call_id: toolCall.id,