GHSA-f6mm-5fc7-3g3c

Описание

Summary

Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment.

PoC

• Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete $GOPATH/pkg).
• Make sure to have secrets set in the environment
• Make sure to not have go mod tidy in a before hook
• Run goreleaser release --clean
• Go prints lots of go: downloading ... lines, which triggers the "if output not empty, log it" line, which includes the environment.

Impact

Credentials and tokens are leaked.