Merge pull request #2989 from chrischdi/pr-hack-handle-binary-files-c…

…ensoring 🌱 hack/e2e don't add binary files to artifacts and also censor base64 encoded values
kubernetes-sigs · May 15, 2024 · b89c791 · b89c791
2 parents b7d922a + 1a7620b
commit b89c791
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/hack/e2e.sh b/hack/e2e.sh
@@ -44,12 +44,27 @@ on_exit() {
 
   # Cleanup VSPHERE_PASSWORD from temporary artifacts directory.
   if [[ "${ORIGINAL_ARTIFACTS}" != "" ]]; then
-    if [ -z "$VSPHERE_PASSWORD" ]; then
-      grep -r -l -e "${VSPHERE_PASSWORD}" "${ARTIFACTS}" | while IFS= read -r file
+    # Delete non-text files from artifacts directory to not leak files accidentially
+    find "${ARTIFACTS}" -type f -exec file --mime-type {} \; | grep -v -E -e "text/plain|text/xml|application/json|inode/x-empty" | while IFS= read -r line
+    do
+      file="$(echo "${line}" | cut -d ':' -f1)"
+      mimetype="$(echo "${line}" | cut -d ':' -f2)"
+      echo "Deleting file ${file} of type ${mimetype}"
+      rm "${file}"
+    done || true
+    # Replace secret and base64 secret in all files.
+    if [ -n "$VSPHERE_PASSWORD" ]; then
+      grep -I -r -l -e "${VSPHERE_PASSWORD}" "${ARTIFACTS}" | while IFS= read -r file
       do
         echo "Cleaning up VSPHERE_PASSWORD from file ${file}"
         sed -i "s/${VSPHERE_PASSWORD}/REDACTED/g" "${file}"
       done || true
+      VSPHERE_PASSWORD_B64=$(echo -n "${VSPHERE_PASSWORD}" | base64 --wrap=0)
+      grep -I -r -l -e "${VSPHERE_PASSWORD_B64}" "${ARTIFACTS}" | while IFS= read -r file
+      do
+        echo "Cleaning up VSPHERE_PASSWORD_B64 from file ${file}"
+        sed -i "s/${VSPHERE_PASSWORD_B64}/REDACTED/g" "${file}"
+      done || true
     fi
     # Move all artifacts to the original artifacts location.
     mv "${ARTIFACTS}"/* "${ORIGINAL_ARTIFACTS}/"