Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): fixes leaking private key password to logs in mongo setup #28

Merged
merged 1 commit into from
Jul 31, 2020
Merged

fix(core): fixes leaking private key password to logs in mongo setup #28

merged 1 commit into from
Jul 31, 2020

Conversation

ddneilson
Copy link
Contributor

This fixes a bug in the serverCertFromSecrets.sh script that is used by the MongoDbInstance construct to fetch the server's TLS certificates from secrets. The bug results in the passphrase for the private key being leaked to logs.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@ryyakobe ryyakobe self-requested a review July 31, 2020 15:34
@ddneilson
Copy link
Contributor Author

Logs before:

+ set +x
++ printenv RET_VALUE
+ export KEY_PW=<password here>
+ KEY_PW=<password here>
+ openssl rsa -in ./encrypted_key.pem -passin env:KEY_PW -out ./decrypted_key.pem

Logs after fix:

+ set +x
+ openssl rsa -in ./encrypted_key.pem -passin env:RET_VALUE -out ./decrypted_key.pem

evanspearman-a
evanspearman-a approved these changes Jul 31, 2020
View reviewed changes
Copy link
Contributor

@evanspearman-a evanspearman-a left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ship it.

ryyakobe
ryyakobe approved these changes Jul 31, 2020
View reviewed changes
Copy link
Contributor

@ryyakobe ryyakobe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@ryyakobe ryyakobe merged commit efd1602 into aws:mainline Jul 31, 2020
@ryyakobe ryyakobe deleted the mongo_secret_fix branch July 31, 2020 16:24
evanspearman-a pushed a commit that referenced this pull request Aug 17, 2020
@ddneilson @evanspearman-a
fix(core): fixes leaking private key password to logs in mongo setup (#…
c4b1ae6 
…28)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evanspearman-a evanspearman-a evanspearman-a approved these changes

@ryyakobe ryyakobe ryyakobe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ddneilson @ryyakobe @evanspearman-a