Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug fix] Prevent exposing API key secret in stdout logging #270

Merged
merged 12 commits into from
Jan 20, 2021
Merged

[Bug fix] Prevent exposing API key secret in stdout logging #270

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
5fca7b6
update the powershell gallery install link
paulegradie Jan 17, 2021
56d69c2
remove Write-Verbose exposing secret and update readme link
paulegradie Jan 18, 2021
b8a4cc6
add a pull request template
paulegradie Jan 18, 2021
42b1c95
update before stripping out
paulegradie Jan 18, 2021
0a2b795
pull pr template into separate PR
paulegradie Jan 18, 2021
2e1f053
refactor masking function
paulegradie Jan 18, 2021
50e2c8c
use masking function in commands
paulegradie Jan 18, 2021
5283491
Typo
paulegradie Jan 19, 2021
96b3c9c
rename function
paulegradie Jan 19, 2021
fb31e43
split out changes to readme
paulegradie Jan 19, 2021
c93e7b2
fix join string
paulegradie Jan 19, 2021
72995ea
simplify masking function
paulegradie Jan 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion OctopusDSC/DSCResources/cTentacleAgent/cTentacleAgent.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1278,6 +1278,5 @@ function Register-Tentacle {
$registerArguments += @("--tenanted-deployment-participation", $TenantedDeploymentParticipation)
}

Write-Verbose "Registering with arguments: $registerArguments"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the main fix - this line is redundant and doesn't pass the arguments through the scrubber.

Invoke-TentacleCommand $registerArguments
}
63 changes: 23 additions & 40 deletions OctopusDSC/OctopusDSCHelpers.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,46 +153,35 @@ Function Invoke-WithRetries {
return $returnvalue
}

Function Get-MaskedOutput
{
function Get-MaskedOutput {
[CmdletBinding()]
param($arguments)

$reg = [System.Text.RegularExpressions.RegEx]::new("--masterkey|--password|--license",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We felt it was prudent to improve the logic around the masking function. Note the edge case clause (the else block).

[System.Text.RegularExpressions.RegexOptions]::IgnoreCase)
$singleAsterixArgs = "--masterkey|--license|--licence|--trust|--password|--remove-trust|--apikey|--pw|--pfx-password|--proxyPassword";
$connectionStringArgs = "--connectionstring";

if(($arguments -match "--masterkey|--password|--license"))
{
for($x=0;$x -lt $arguments.count; $x++)
{
if(($arguments[$x] -match "--masterkey|--password|--license|--trust|--remove-trust|--apikey|--password|--pw|--pfx-password|--proxyPassword"))
{
$arguments[$x+1] = $arguments[$x+1] -replace ".", "*"
}
# Scrub sensitive values
for($x=0; $x -lt $arguments.count; $x++) {
if($arguments[$x] -match $singleAsterixArgs) {
$arguments[$x+1] = "**********"
} elseif($arguments[$x] -match $connectionStringArgs) {
$arguments[$x+1] = $arguments[$x+1] -replace "(password|pwd)=[^;|`"]*", "`$1=********"
}
$out = $arguments
}
elseif(($arguments -match "password|pwd"))
{
$out = $arguments -replace "(password|pwd)=[^;|`"]*", "`$1=********"
}
else
{
$out = @("************************")
}
return $out
return $arguments
}

function Write-VerboseWithMaskedCommand ($cmdArgs) {
$copiedarguments = @() # hack to pass a copy of the array, not a reference
$copiedarguments += $cmdArgs
$maskedarguments = Get-MaskedOutput $copiedarguments
Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
}

function Invoke-OctopusServerCommand ($cmdArgs) {
# todo: fix this up
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rewriting the function masker helped make it clear that much of this code was redundant, so it has been removed. Args provided to a call to Write-Verbose (or other logging) should always be passed through the masking function.

if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
Write-Verbose "Executing command '$octopusServerExePath $($cmdArgs -join ' ')'"
} else {
$copiedarguments = @() # hack to pass a copy of the array, not a reference
$copiedarguments += $cmdArgs
$maskedarguments = Get-MaskedOutput $copiedarguments
Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
}

Write-VerboseWithMaskedCommand($cmdArgs);

$LASTEXITCODE = 0
$output = & $octopusServerExePath $cmdArgs 2>&1

Expand All @@ -210,15 +199,9 @@ function Test-TentacleExecutableExists {
}

function Invoke-TentacleCommand ($cmdArgs) {
# todo: fix this up
if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
Write-Verbose "Executing command '$tentacleExePath $($cmdArgs -join ' ')'"
} else {
$copiedarguments = @() # hack to pass a copy of the array, not a reference
$copiedarguments += $cmdArgs
$maskedarguments = Get-MaskedOutput $copiedarguments
Write-Verbose "Executing command '$tentacleExePath $($maskedarguments -join ' ')'"
}

Write-VerboseWithMaskedCommand($cmdArgs);

$LASTEXITCODE = 0
$output = & $tentacleExePath $cmdArgs 2>&1

Expand Down