Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .vortex/docs/.utils/VideoRecorder.php
Original file line number Diff line number Diff line change
Expand Up @@ -302,13 +302,56 @@ public function postprocessCast(string $cast_path, ?string $workspace = NULL, bo
throw new RuntimeException("Failed to redact login tokens in cast: $cast_path");
}

$contents = $this->redactSecrets($contents);

if (file_put_contents($cast_path, $contents) === FALSE) {
throw new RuntimeException("Failed to write postprocessed cast: $cast_path");
}

$this->pass('Cast post-processed');
}

/**
* Mask credential-like secrets in cast contents with a fixed placeholder.
*
* Recorded command output can surface real secrets - for example a
* 'PACKAGE_TOKEN' replayed verbatim by a cached Docker build layer, or a
* token printed by a provisioning step. Published demos must never embed
* real credentials, so recognised token formats and the literal values of
* sensitive environment variables are masked before the cast is rendered to
* SVG and PNG.
*/
protected function redactSecrets(string $contents): string {
$placeholder = 'XXXXX';

$patterns = [
// GitHub personal access, OAuth, user-to-server, server-to-server and
// refresh tokens (for example 'ghp_...', 'gho_...').
'#\bgh[oprsu]_[A-Za-z0-9]{36,255}#',
// GitHub fine-grained personal access tokens ('github_pat_...').
'#\bgithub_pat_[A-Za-z0-9_]{22,255}#',
// AWS access key identifiers.
'#\b(?:AKIA|ASIA)[A-Z0-9]{16}#',
];

$masked = preg_replace($patterns, $placeholder, $contents);
if ($masked === NULL) {
throw new RuntimeException('Failed to mask secret token patterns in cast');
}

// Defence in depth: mask the literal values of sensitive environment
// variables when set, catching tokens whose format the patterns above do
// not recognise. Short values are skipped to avoid mangling innocuous text.
foreach (['PACKAGE_TOKEN', 'GITHUB_TOKEN', 'VORTEX_CONTAINER_REGISTRY_PASS'] as $name) {
$value = getenv($name);
if (is_string($value) && strlen($value) >= 8) {
$masked = str_replace($value, $placeholder, $masked);
}
}

return $masked;
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}

/**
* Multiply every event timestamp by $factor (< 1 speeds up, > 1 slows down).
* Used to make recorded command demos playable in less wall-clock time.
Expand Down
2 changes: 1 addition & 1 deletion .vortex/docs/static/img/build.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
[7.451997, "o", "\r\n#45 [nginx stage-1 1/5] FROM docker.io/uselagoon/nginx-drupal:26.5.1@sha256:5bc865ce265225243dcc181771d26208e8d40174e50ecd1a28bcffe8b4359b5d\r\n#45 DONE 0.0s\r\n\r\n#46 [nginx internal] load build context\r\n#46 DONE 0.0s\r\n\r\n#30 [php internal] load metadata for docker.io/uselagoon/php-8.4-fpm:26.5.1\r\n#30 DONE 1.3s\r\n"]
[7.452005, "o", "\r\n#47 [nginx stage-1 2/5] RUN apk add --no-cache tzdata\r\n#47 CACHED\r\n\r\n#48 [nginx stage-1 3/5] COPY ./.docker/config/nginx/redirects-map.conf /etc/nginx/redirects-map.conf\r\n#48 CACHED\r\n\r\n#49 [nginx stage-1 4/5] RUN fix-permissions /etc/nginx\r\n#49 CACHED\r\n\r\n#50 [php stage-1 1/3] FROM docker.io/uselagoon/php-8.4-fpm:26.5.1@sha256:32c8a03a5f95b9710de0623f3ec161106910128db19528d7f73d2c5e69db23bb\r\n#50 DONE 0.0s\r\n\r\n#51 [php stage-0 2/10] RUN apk add --no-cache ncurses pv tzdata autoconf g++ make && pecl install pcov && docker-php-ext-enable pcov && docker-php-ext-install pcntl && apk del g++ make autoconf\r\n#51 CACHED\r\n\r\n#52 [php stage-0 3/10] COPY patches /app/patches\r\n#52 CACHED\r\n\r\n#7 [php internal] load .dockerignore\r\n#7 CACHED\r\n\r\n#53 [php stage-0 1/10] FROM docker.io/uselagoon/php-8.4-cli-drupal:26.5.1@sha256:0b4c6b2dfb2080f21d749c708b547fae4e66d4cd17cc7908abcf512312a763ae\r\n#53 DONE 0.0s\r\n\r\n#54 [cli internal] load build context\r\n"]
[7.452007, "o", "#54 transferring context: 2.38MB 0.1s done\r\n#54 DONE 0.1s\r\n\r\n#55 [php stage-0 4/10] COPY scripts /app/scripts\r\n"]
[7.69291, "o", "#55 DONE 0.1s\r\n\r\n#51 [nginx stage-0 2/10] RUN apk add --no-cache ncurses pv tzdata autoconf g++ make && pecl install pcov && docker-php-ext-enable pcov && docker-php-ext-install pcntl && apk del g++ make autoconf\r\n#51 CACHED\r\n\r\n#52 [nginx stage-0 3/10] COPY patches /app/patches\r\n#52 CACHED\r\n\r\n#56 [cli stage-0 5/10] COPY composer.json composer.* patches.lock.* .env* auth* /app/\r\n#56 DONE 0.1s\r\n\r\n#57 [php stage-0 6/10] RUN --mount=type=secret,id=package_token token=$(if [ -s /run/secrets/package_token ]; then cat /run/secrets/package_token; else echo \"ghp_REDACTED00000000000000000000000000000000\"; fi) && if [ -n \"${token}\" ]; then export COMPOSER_AUTH=\"{\"github-oauth\": {\"github.com\": \"${token}\"}}\"; fi && COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader\r\n"]
[7.69291, "o", "#55 DONE 0.1s\r\n\r\n#51 [nginx stage-0 2/10] RUN apk add --no-cache ncurses pv tzdata autoconf g++ make && pecl install pcov && docker-php-ext-enable pcov && docker-php-ext-install pcntl && apk del g++ make autoconf\r\n#51 CACHED\r\n\r\n#52 [nginx stage-0 3/10] COPY patches /app/patches\r\n#52 CACHED\r\n\r\n#56 [cli stage-0 5/10] COPY composer.json composer.* patches.lock.* .env* auth* /app/\r\n#56 DONE 0.1s\r\n\r\n#57 [php stage-0 6/10] RUN --mount=type=secret,id=package_token token=$(if [ -s /run/secrets/package_token ]; then cat /run/secrets/package_token; else echo \"XXXXX\"; fi) && if [ -n \"${token}\" ]; then export COMPOSER_AUTH=\"{\"github-oauth\": {\"github.com\": \"${token}\"}}\"; fi && COMPOSER_MEMORY_LIMIT=-1 composer install -n --no-dev --ansi --prefer-dist --optimize-autoloader\r\n"]
[7.841713, "o", "#57 0.299 \u001b[30;43mNo composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.\u001b[39;49m\r\n"]
[7.992607, "o", "#57 0.299 \u001b[32mLoading composer repositories with package information\u001b[39m\r\n"]
[19.751118, "o", "#57 12.21 \u001b[32mUpdating dependencies\u001b[39m\r\n"]
Expand Down
2 changes: 1 addition & 1 deletion .vortex/docs/static/img/build.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 6 additions & 6 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@
"drupal/coffee": "^2.0.1",
"drupal/config_split": "^2.0.2",
"drupal/config_update": "^2@alpha",
"drupal/core-composer-scaffold": "~11.3.12",
"drupal/core-recommended": "~11.3.12",
"drupal/core-composer-scaffold": "~11.3.13",
"drupal/core-recommended": "~11.3.13",
"drupal/devel": "^5.5",
"drupal/drupal_helpers": "^2.0.1",
"drupal/environment_indicator": "^4.0.25",
Expand All @@ -33,7 +33,7 @@
"drupal/stage_file_proxy": "^3.1.6",
"drupal/testmode": "^2.7.1",
"drupal/xmlsitemap": "^2.0",
"drush/drush": "^13.7.3",
"drush/drush": "^13.7.4",
"webflo/drupal-finder": "^1.3.1"
},
"require-dev": {
Expand All @@ -44,7 +44,7 @@
"drevops/behat-screenshot": "^2.4.1",
"drevops/behat-steps": "^3.11.0",
"drevops/phpcs-standard": "^0.7.0",
"drupal/coder": "^9@alpha",
"drupal/coder": "^9.0.1@alpha",
"drupal/drupal-extension": "^6.1",
"drupal/sdc_devel": "^1.0.2",
"ergebnis/composer-normalize": "^2.52.0",
Expand All @@ -59,8 +59,8 @@
"phpstan/phpstan": "^2.2.2",
"phpunit/phpunit": "^11.5.55",
"pyrech/composer-changelogs": "^2.2",
"rector/rector": "^2.5.0",
"vincentlanglet/twig-cs-fixer": "^4.0"
"rector/rector": "^2.5.2",
"vincentlanglet/twig-cs-fixer": "^4.0.1"
},
"conflict": {
"drupal/drupal": "*"
Expand Down
Loading