Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret Values special characters are interpreted #255

Closed
nichcuta opened this issue May 11, 2024 · 9 comments · Fixed by #257
Closed

Secret Values special characters are interpreted #255

nichcuta opened this issue May 11, 2024 · 9 comments · Fixed by #257

Comments

@nichcuta
Copy link

Hi,

Running v0.7.0, and noticed that secret values are getting interpreted rather than passed as is.
Example:

"value": "password<"

is JSON rendered as:
"value": "password\u003c"

When using base as format, if newline (\n) is in value, this is also interpreted resulting in the below incorrect syntax

          │   ├── example-keystore-jks_base64=/u3+7QQAAAYtIxCqRAAAFATCCBP0wDgYKKwAAAAIAAAABAAAAAQABMYBBAEqAhEBAQUABIIE6Z9q
            │   │   w2lvG+76o2JhexbzP2qA8EnUwzRorbDkbgRvTrsp3dMFBEnYqFurMXJMVnY8qffoD4OC19OvMkFg
            │   │   /am4W0GdZV05AQh+OTmEgDPfyVNKZCosmGl5Zr6zYuxSR1a9jVOjIPh+KIgDFy/Q021S7R+1fHrR
            │   │   6eKX5JDtl3TWDSphgInCsNN+h8LVk+nC6DtJoAQSqC6+t+b1SRzvVOWk+EmnRHTLULmjG7zTCNx0
@FalcoSuessgott
Copy link
Owner

Oh interesting! Will have a look, thanks for reporting.

@FalcoSuessgott
Copy link
Owner

Special characters like < and > are now preserved.

I cant reproduce the \n breaking the base format output. Can you provide me an example secret value that leads to the output you have provided?

@FalcoSuessgott FalcoSuessgott mentioned this issue May 11, 2024
Merged
@nichcuta
Copy link
Author

nichcuta commented May 11, 2024 via email

@nichcuta
Copy link
Author

So value is:

"example-keystore-jks_base64": "/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q\nw2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg\n/am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD\n6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0\nukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/\nzn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B"

This is rendered like so:

            │   ├── example-keystore-jks_base64=/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q
            │   │   w2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg
            │   │   /am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD
            │   │   6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0
            │   │   ukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/
            │   │   zn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B

Expected to be rendered as:

            │   ├── example-keystore-jks_base64=/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q\nw2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg\n/am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD\n6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0\nukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/\nzn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B

Note: the above example is not a valid base64. Cant provide the actual base64 value for security reasons.

@FalcoSuessgott
Copy link
Owner

FalcoSuessgott commented May 12, 2024
edited

Thanks for the example. I dont really think I can avoid that .. I think the terminal will simply break the line once the line is longer than the terminal width which will lead to the underlaying library (gotree) to add another | in the front. But I will play around and see what I can do and get back to you

@FalcoSuessgott
Copy link
Owner

Bonjour @nichcuta!

I think I found a nice solution:

with vkv v0.7.0 secrets across multiple lines breakes the base output (Githubs Markdown Codeblocks do actually not break the lines like a terminal does ..)

> vkv export -p secret --show-values
secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=password
├── demo [v=1]
│   └── foo=bar
└── sub
    ├── demo [v=1]
    │   ├── demo=hello world
    │   ├── password=s3cre5
    │   └── user=admin
    └── sub2
        └── demo [v=3] [admin=false key=value]
            ├── admin=key
            ├── foo=bar
            ├── key=/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q\nw2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg\n/am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD\n6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0\nukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/\nzn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B
            ├── password=password
            └── user=user

with the changes from #257 secret values are now correctly indented by interpreting any \n:

> go run main.go export -p secret --show-values
secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=password
│   
├── demo [v=1]
│   └── foo=bar
│   
└── sub
    ├── demo [v=1]
    │   ├── demo=hello world
    │   ├── password=s3cre5
    │   └── user=admin
    │   
    └── sub2
        └── demo [v=4] [admin=false key=value]
            ├── admin=key
            ├── foo=bar
            ├── key=/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q
            │   w2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg
            │   /am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD
            │   6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0
            │   ukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/
            │   zn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B
            ├── password=password
            └── user=user

would that work for you?

@nichcuta
Copy link
Author

Good morning @FalcoSuessgott ,

> vkv export -p secret --show-values
secret/ [desc=key/value secret storage] [type=kv2]
├── admin [v=1] [key=value]
│   └── sub=password
├── demo [v=1]
│   └── foo=bar
└── sub
    ├── demo [v=1]
    │   ├── demo=hello world
    │   ├── password=s3cre5
    │   └── user=admin
    └── sub2
        └── demo [v=3] [admin=false key=value]
            ├── admin=key
            ├── foo=bar
            ├── key=/u3+EqAhEBAQUABII7QAAAAIAAAABAAAAAQABMQAAAYtIxCqRAAAFATCCBP0wDgYKKwYBBAE6Z9q\nw2lvbDkbgRvTrsp3dMFBEnYqFurMXJMVnG+76o2JhexbzP2qA8EnUwzRorY8qffoD4OC19OvMkFg\n/am4W0GdZVPfyVNKZCosmGl5Zr6zYuxSR1a9j1fHrR05AQh+OTVOjIPh+KIgDFy/Q021S7R+mEgD\n6eKX5JDtl3TWDSphgInCsN1SRzvVOWk+EmnRHTLULmjG7zTCN+h8LVk+nC6DtJoAQSqC6+t+bNx0\nukVSh0CPv7tjX5z6XeMJW+PNQUR3pe/w4QbH3MAzEQhkCg1l93CWxoooRrgXmIdSf0qq4joA2kt/\nzn65p359dOEx+owXCMBh/JRZ3Gf253m+jyLTYp0kPHzJGwXwD+6GVs6dum3B+lZuc8v45VvXTE4B
            ├── password=password
            └── user=user

The key above is the current output. Perhaps zsh (the terminal i use) is causing this issue for me?
I think vkv should never interpret the '\n' so the secret value is preserved

Thanks,
Nic

@FalcoSuessgott
Copy link
Owner

Hi,

you're right, interpreting \n is probably not a good idea. I decided to stick to the behavior of the official vault CLI:

image

Which does not interpret special character. This equals now with vkv export:

image

As you can see in vault and vkv output, the terminal & shell simply break long lines at whatever width the current terminal session has ( I use zsh + alacritty). I think this is fine and actually inevitable.

@nichcuta
Copy link
Author

Thats the behaviour i expected. Looks good to me :D

Thanks for fixing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(export): preserve special characters FalcoSuessgott/vkv
2 participants
@FalcoSuessgott @nichcuta