unity-cli@v1.8.2 (#67)

- properly mask sensitive strings when `--verbose` is enabled in cli

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: StephenHodgson

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@rage-against-the-pixel/unity-cli",
-  "version": "1.8.1",
+  "version": "1.8.2",
   "description": "A command line utility for the Unity Game Engine.",
   "author": "RageAgainstThePixel",
   "license": "MIT",
@@ -50,17 +50,17 @@
   "dependencies": {
     "@electron/asar": "^4.0.1",
     "@rage-against-the-pixel/unity-releases-api": "^1.0.4",
-    "commander": "^14.0.2",
+    "commander": "^14.0.3",
     "glob": "^11.1.0",
-    "semver": "^7.7.3",
+    "semver": "^7.7.4",
     "source-map-support": "^0.5.21",
-    "tar": "^7.5.2",
+    "tar": "^7.5.7",
     "update-notifier": "^7.3.1",
     "yaml": "^2.8.2"
   },
   "devDependencies": {
     "@types/jest": "^30.0.0",
-    "@types/node": "^24.10.4",
+    "@types/node": "^24.10.12",
     "@types/semver": "^7.7.1",
     "@types/update-notifier": "^6.0.8",
     "jest": "^30.2.0",

package.json

@@ -50,7 +50,7 @@ program.command('activate-license')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         const client = new LicensingClient();
         const licenseStr: string = options.license?.toString()?.trim();
@@ -79,6 +79,11 @@ program.command('activate-license')
             if (licenseType === LicenseType.professional && !options.serial) {
                 options.serial = await PromptForSecretInput('Serial: ');
             }
+
+            // Mask credentials in CI environments before any potential logging
+            Logger.instance.maskCredential(options.email);
+            Logger.instance.maskCredential(options.password);
+            Logger.instance.maskCredential(options.serial);
         }
 
         const token = await client.Activate({
@@ -106,7 +111,7 @@ program.command('return-license')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         const client = new LicensingClient();
         const licenseStr: string = options.license?.toString()?.trim();
@@ -134,6 +139,9 @@ program.command('return-license')
                 Logger.instance.error('Token is required when returning a floating license. Use -t or --token to specify it.');
                 process.exit(1);
             }
+
+            // Mask token in CI environments before any potential logging
+            Logger.instance.maskCredential(token);
         }
 
         await client.Deactivate(licenseType, token);
@@ -220,7 +228,7 @@ program.command('hub-install')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         if (options.autoUpdate === true && options.hubVersion) {
             Logger.instance.error('Cannot use --auto-update with --hub-version.');
@@ -252,7 +260,7 @@ program.command('hub')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify({ args, options }));
+        Logger.instance.debugOptions({ args, options });
 
         const unityHub = new UnityHub();
         const output = await unityHub.Exec(args, { silent: false, showCommand: Logger.instance.logLevel === LogLevel.DEBUG });
@@ -280,7 +288,7 @@ program.command('setup-unity')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         let unityProject: UnityProject | undefined;
 
@@ -373,7 +381,7 @@ program.command('uninstall-unity')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         let unityEditor: UnityEditor | undefined;
         const unityVersionStr = options.unityVersion?.toString()?.trim();
@@ -472,7 +480,7 @@ program.command('run')
             Logger.instance.logLevel = requestedLogLevel;
         }
 
-        Logger.instance.debug(JSON.stringify({ options, args }));
+        Logger.instance.debugOptions({ options, args });
 
         let unityEditor: UnityEditor | undefined;
         const editorPath = options.unityEditor?.toString()?.trim() || process.env.UNITY_EDITOR_PATH || undefined;
@@ -540,7 +548,7 @@ program.command('list-project-templates')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         const unityVersionStr = options.unityVersion?.toString()?.trim();
 
@@ -593,7 +601,7 @@ program.command('create-project')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         const unityVersionStr = options.unityVersion?.toString()?.trim();
 
@@ -665,7 +673,7 @@ program.command('open-project')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
         const projectPath = options.unityProject?.toString()?.trim() || process.env.UNITY_PROJECT_PATH || undefined;
         const unityProject = await UnityProject.GetProject(projectPath);
 
@@ -731,7 +739,7 @@ program.command('sign-package')
             Logger.instance.logLevel = LogLevel.DEBUG;
         }
 
-        Logger.instance.debug(JSON.stringify(options));
+        Logger.instance.debugOptions(options);
 
         const packagePath = path.normalize(options.package?.toString()?.trim());
 
@@ -796,6 +804,11 @@ program.command('sign-package')
             process.exit(1);
         }
 
+        // Mask credentials in CI environments before any potential logging
+        Logger.instance.maskCredential(username);
+        Logger.instance.maskCredential(password);
+        Logger.instance.maskCredential(organization);
+
         // must use a unity editor 6000.3 or newer
         const unityVersion = new UnityVersion('6000.3');
         const unityHub = new UnityHub();

src/cli.ts

@@ -225,6 +225,87 @@ export class Logger {
         }
     }
 
+    /**
+     * Masks a credential value in CI environments before it appears in logs.
+     * This is a convenience wrapper around CI_mask for credential values.
+     * @param value The credential value to mask.
+     */
+    public maskCredential(value: string | undefined): void {
+        if (value && value.length > 0) {
+            this.CI_mask(value);
+        }
+    }
+
+    /**
+     * Logs command-line options with sensitive information scrubbed.
+     * Automatically removes passwords, tokens, emails, and other credentials from the output.
+     * @param options The options object to log (typically from commander.js).
+     * @param optionalParams Additional parameters to log.
+     */
+    public debugOptions(options: any, ...optionalParams: any[]): void {
+        // Avoid expensive scrubbing and stringification when debug logging is disabled.
+        if (this.logLevel !== LogLevel.DEBUG) {
+            return;
+        }
+        const scrubbed = this.scrubSensitiveData(options);
+        this.debug(JSON.stringify(scrubbed), ...optionalParams);
+    }
+
+    /**
+     * List of sensitive option keys that should be scrubbed from debug output.
+     */
+    private readonly SENSITIVE_KEYS = [
+        'password',
+        'email',
+        'serial',
+        'token',
+        'config',
+        'organization',
+        'username',
+        'servicesConfig'
+    ];
+
+    /**
+     * Scrubs sensitive information from an object for safe logging.
+     * Creates a deep clone of the object and replaces sensitive values with [REDACTED].
+     * @param obj The object to scrub (typically command-line options).
+     * @returns A new object with sensitive values replaced.
+     */
+    private scrubSensitiveData(obj: any): any {
+        if (obj === null || obj === undefined) {
+            return obj;
+        }
+
+        if (typeof obj !== 'object') {
+            return obj;
+        }
+
+        if (Array.isArray(obj)) {
+            return obj.map((item: any) => this.scrubSensitiveData(item));
+        }
+
+        const scrubbedObj: any = {};
+
+        for (const key in obj) {
+            if (obj.hasOwnProperty(key)) {
+                const lowerKey = key.toLowerCase();
+                const isSensitive = this.SENSITIVE_KEYS.some(
+                    sensitiveKey => lowerKey.includes(sensitiveKey.toLowerCase())
+                );
+
+                if (isSensitive) {
+                    scrubbedObj[key] = '[REDACTED]';
+                } else if (typeof obj[key] === 'object') {
+                    scrubbedObj[key] = this.scrubSensitiveData(obj[key]);
+                } else {
+                    scrubbedObj[key] = obj[key];
+                }
+            }
+        }
+
+        return scrubbedObj;
+    }
+
     /**
      * Sets an environment variable in CI environments that support it.
      * @param name The name of the environment variable.

src/logging.ts

@@ -191,6 +191,32 @@ export class UnityEditor {
         return templates;
     }
 
+    /**
+     * Scrubs sensitive command-line arguments for safe logging.
+     * Replaces values for sensitive flags like -username, -password, etc. with [REDACTED].
+     * @param args The command-line arguments array.
+     * @returns A new array with sensitive values redacted.
+     */
+    public scrubSensitiveArgs(args: string[]): string[] {
+        const sensitiveFlags = ['-username', '-password', '-cloudOrganization', '-serial'];
+        const scrubbedArgs: string[] = [];
+        
+        for (let i = 0; i < args.length; i++) {
+            const arg = args[i];
+            if (!arg) continue;
+            
+            scrubbedArgs.push(arg);
+            
+            // If this is a sensitive flag and the next item is its value
+            if (sensitiveFlags.includes(arg) && i + 1 < args.length) {
+                scrubbedArgs.push('[REDACTED]');
+                i++; // Skip the next item (the actual value) since we've already added [REDACTED]
+            }
+        }
+        
+        return scrubbedArgs;
+    }
+
     /**
      * Run the Unity Editor with the specified command line arguments.
      * @param command The command containing arguments and optional project path.
@@ -264,7 +290,10 @@ export class UnityEditor {
 
             const logPath: string = GetArgumentValueAsString('-logFile', command.args);
             logTail = TailLogFile(logPath, command.projectPath);
-            const commandStr = `\x1b[34m${this.editorPath} ${command.args.join(' ')}\x1b[0m`;
+            
+            // Scrub sensitive arguments before logging
+            const scrubbedArgs = this.scrubSensitiveArgs(command.args);
+            const commandStr = `\x1b[34m${this.editorPath} ${scrubbedArgs.join(' ')}\x1b[0m`;
             this.logger.startGroup(commandStr);
 
             if (this.version.isLegacy() && process.platform === 'darwin' && process.arch === 'arm64') {