Potential security issue

[simbamarufu1]

When using this action, the following warning is displayed and it states that secrets are visible inside the container in plaintext in /github/home/.docker/config.json. I am aware that action containers are ephemeral, but isn't this file accessible to subsequent executed actions?

15 Logging in to registry 16 WARNING! Using --password via the CLI is insecure. Use --password-stdin. 17 WARNING! Your password will be stored unencrypted in /github/home/.docker/config.json. 18 Configure a credential helper to remove this warning. See 19 https://docs.docker.com/engine/reference/commandline/login/#credentials-store

[justincormack]

We are looking into the best way to handle these credentials, thanks for the report. The file will indeed be available later, unless you logout or remove it.

[crazy-max]

Hi @simbamarufu1,

This will be fixed through build-push-action v2 (#92) and more precisely the login-action if you want to try it.

[crazy-max]

Version 2 has been merged to the main branch and is therefore available via uses: docker/build-push-action@v2 (mutable tag).

As a reminder, this new version changes drastically and works with 3 new actions (login, setup-buildx and setup-qemu) that we have created. Many usage examples have been added to handle most use cases.

And it should fix this current issue. Don't hesitate if you have any questions.

[eine]

I'm sorry to bring the bad news, but I'd say that this issue was not fixed. It seems that the warning message is hidden from the users, which is misleading as it provides a false feeling of security. As seen in https://github.com/docker/login-action/blob/adb73476b6e06caddec5db0bc1deacbec8cdd947/src/docker.ts#L36, on success stderr is not shown. The warning is precisely shown when the login is successful but insecure.

See https://github.com/eine/login-action/commits/master and https://github.com/eine/login-action/runs/1354438643?check_suite_focus=true#step:3:8.

@crazy-max, can you please reopen this issue?

[Al13n0]

I can confirm the issue is still there, even using the docker/login-action@v2, the only fix is that the error message is hided from the user.