Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chef Vault warns and leaks secrets when vault json contains properly encoded special characters #415

Open
decoyjoe opened this issue Nov 25, 2024 · 0 comments · May be fixed by #416
Open

Chef Vault warns and leaks secrets when vault json contains properly encoded special characters #415

decoyjoe opened this issue Nov 25, 2024 · 0 comments · May be fixed by #416
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.

Comments

@decoyjoe
Copy link

Version:

Environment:

Any environment.

Scenario:

When a JSON file containing valid JSON with properly encoded special characters (like null bytes) is processed by Chef Vault, the system incorrectly flags these characters as non-printable. This results in unnecessary warnings and exposure of sensitive data in logs or console output.

Steps to Reproduce:

  1. Create a valid JSON file named test.json: 
    {
  "id": "test",
  "data": "secret_with_null->\u0000<-byte"
}
  2. Use this JSON file to create or update a vault: 
    $ knife vault create chef-vault-415 test --mode client --json ./test.json
  3. Output contains warning and exposes vault secret:

    WARN: Value 'secret_with_null-> <-byte' of key 'data' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\Windows) in double-quoted strings.

Expected Result:

Chef Vault processes the vault item without warnings since the JSON is valid and the special characters are properly encoded.

Actual Result:

Chef Vault logs a warning indicating that the vault item contains non-printable characters and exposes the sensitive vault content.

Reccommendation

Chef Vault should be agnostic to the content of the vault item JSON. As long as the JSON is valid, which is the responsibility of the JSON parser, it should proceed with uploading the item to the server.
@decoyjoe decoyjoe added Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected. labels Nov 25, 2024
decoyjoe added a commit to decoyjoe/chef-vault that referenced this issue Nov 25, 2024
@decoyjoe
Fixed: Vault warns when valid JSON contains special character sequences
7f3ff80 
This partially reverts commit 2e0ee1b

Fixes chef#415
decoyjoe added a commit to decoyjoe/chef-vault that referenced this issue Nov 25, 2024
@decoyjoe
Fixed: Vault warns when valid JSON contains special character sequences
6ebf263 
This partially reverts commit 2e0ee1b

Fixes chef#415

Signed-off-by: Joseph Larionov <jlarionov@webmd.net>
@decoyjoe decoyjoe linked a pull request Nov 25, 2024 that will close this issue
Open
11 tasks
decoyjoe added a commit to decoyjoe/chef-vault that referenced this issue Nov 26, 2024
@decoyjoe
Fixed: Vault warns when valid JSON contains special character sequences
e959039 
This partially reverts commit 2e0ee1b

Fixes chef#415

Signed-off-by: Joseph Larionov <jlarionov@webmd.net>
decoyjoe added a commit to decoyjoe/chef-vault that referenced this issue Nov 26, 2024
@decoyjoe
Fixed: Vault warns when valid JSON contains special character sequences
f4ad81a 
This partially reverts commit 2e0ee1b

Fixes chef#415

Signed-off-by: Joseph Larionov <jlarionov@webmd.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Status: Untriaged An issue that has yet to be triaged. Type: Bug Does not work as expected.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed: Vault warns when valid JSON contains special character sequences decoyjoe/chef-vault
1 participant
@decoyjoe