Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'yuniql run' command executed through Azure Pipelines task exposes connection string if it contains an ampersand #259

Closed
maxkudosh opened this issue Mar 31, 2022 · 3 comments · Fixed by #262
Closed

'yuniql run' command executed through Azure Pipelines task exposes connection string if it contains an ampersand #259

maxkudosh opened this issue Mar 31, 2022 · 3 comments · Fixed by #262
Assignees
@rdagumampan
Labels
bug Something isn't working community-feedback state: ready-for-release
Milestone
v1.3

Comments

@maxkudosh
Copy link

maxkudosh commented Mar 31, 2022
edited
Loading

Hi.

Our yuniql setup

We use yuniql in our development and deployment process to handle migrations. Azure Pipelines is our deployment platform. We use official pipeline extension to run migrations, more specifically 'use yuniql' and 'run yuniql' tasks. We store DB connection string in a task variable. Here is a screenshot of our configuration for the 'run yuniql' task:
image

The issue

When the DB connection string variable contains ampersand (&), the yuniql tool starts exposing it into console logs instead of redacting sensitive data as it normally does. And we don't provide 'trace-sensitive-data' flag. Here it how it looks:
2022-03-31_16-51-36
Note that the ampersand gets encoded into '\u0026', although the DB authentication successfully passes.
Also note that this issue is reproducible on the latest version of the extension, so nevermind the version presented on screenshots.

It looks like a bug in yuniql that makes DB connection string to leak into the logs. This behavior can't be fixed by explicitly setting 'trace-sensitive-data' flag since this flag can only be explicitly set to true.
@rdagumampan rdagumampan self-assigned this Mar 31, 2022
@rdagumampan
Copy link
Owner

@maxkudosh thanks for your feedback and sharing this potential vulnerability. I will look into it and see if theres anything we can do in the short term. If there's any quick fix, its like to be release after easter holidays where I plan to sit on outstanding issues.

P.S. Please star our repo ICYMI. It goes a long way in getting better stats and helping more people discover this tool :) Thanks!

@rdagumampan rdagumampan added the bug Something isn't working label Apr 1, 2022
@rdagumampan
Copy link
Owner

rdagumampan commented Apr 1, 2022
edited
Loading

I can confirm that this is a bug and needs a code change. Sorry but there was no immediate work around on this except trying to change your password if its at all possible. I will prioritize this issue and release a patch soon. Thanks for reaching out @maxkudosh .

yuniql/yuniql-core/ConfigurationService.cs

Line 158 in a58eb42

var configurationString = JsonSerializer.Serialize(configuration, new JsonSerializerOptions { WriteIndented = true, IgnoreReadOnlyProperties = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase }); 

        ///<inheritdoc/>
        public string PrintAsJson()
        {
            var configuration = GetConfiguration();

            var configurationString = JsonSerializer.Serialize(configuration, new JsonSerializerOptions { WriteIndented = true, IgnoreReadOnlyProperties = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase });

            if (!_traceService.IsTraceSensitiveData) //If TraceSensitiveData is true, do not redact the sensitive data
                configurationString = configurationString.Replace(configuration.ConnectionString, "<sensitive-data-redacted>");

            return configurationString;
        }

@rdagumampan rdagumampan added this to the v1.3 milestone Apr 15, 2022
@rdagumampan rdagumampan mentioned this issue Apr 16, 2022
Merged
@rdagumampan rdagumampan linked a pull request Apr 16, 2022 that will close this issue
Issue 259 #262
Merged
rdagumampan added a commit that referenced this issue Apr 16, 2022
@rdagumampan
Merge pull request #262 from rdagumampan/issue-259
39b4412 
Issue #259
@rdagumampan rdagumampan reopened this Apr 16, 2022
@rdagumampan
Copy link
Owner

Closed. Released in v1.3.10.
https://github.com/rdagumampan/yuniql/releases/tag/v1.3.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdagumampan rdagumampan

Labels
bug Something isn't working community-feedback state: ready-for-release
Projects
None yet
Milestone
v1.3
Development

Successfully merging a pull request may close this issue.

Issue 259 rdagumampan/yuniql
2 participants
@rdagumampan @maxkudosh