Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/config endpoints leak secrets #2928

Closed
wkloucek opened this issue Jan 3, 2022 · 0 comments · Fixed by #4086
Closed

/config endpoints leak secrets #2928

wkloucek opened this issue Jan 3, 2022 · 0 comments · Fixed by #4086
Assignees
@wkloucek
Labels
Topic:Security Type:Bug

Comments

@wkloucek
Copy link
Contributor

wkloucek commented Jan 3, 2022

Describe the bug

The debug endpoints of the individual services feature a /config endpoint to view the configuration of a service.
The configuration includes secrets.

Expected behavior

One can not dump secrets via this endpoint.

Actual behavior

You can dump / view secrets in plain text on this endpoint. (Eg. curl localhost:9205/config | jq .MachineAuthAPIKey)

Additional context

As long as the debug endpoints are not exposed, the /config endpoint can not be accessed from the outside world. The debug endpoint does a bind to 127.0.0.1 by default.
Anyways, this needs to be changed anyways to a more secure approach.

cc @refs, @C0rby
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wkloucek wkloucek

Labels
Topic:Security Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

mask sensitive values in /config proxy debug server endpoint
1 participant
@wkloucek