Skip to content

Commit 24b448e

Browse files
authored
[Bug fix] Prevent exposing API key secret in stdout logging (#270)
* remove Write-Verbose line * use masking function in commands * simplify masking function
1 parent 8f27221 commit 24b448e

File tree

2 files changed

+23
-41
lines changed

2 files changed

+23
-41
lines changed

Diff for: OctopusDSC/DSCResources/cTentacleAgent/cTentacleAgent.psm1

-1
Original file line numberDiff line numberDiff line change
@@ -1278,6 +1278,5 @@ function Register-Tentacle {
12781278
$registerArguments += @("--tenanted-deployment-participation", $TenantedDeploymentParticipation)
12791279
}
12801280

1281-
Write-Verbose "Registering with arguments: $registerArguments"
12821281
Invoke-TentacleCommand $registerArguments
12831282
}

Diff for: OctopusDSC/OctopusDSCHelpers.ps1

+23-40
Original file line numberDiff line numberDiff line change
@@ -153,46 +153,35 @@ Function Invoke-WithRetries {
153153
return $returnvalue
154154
}
155155

156-
Function Get-MaskedOutput
157-
{
156+
function Get-MaskedOutput {
158157
[CmdletBinding()]
159158
param($arguments)
160159

161-
$reg = [System.Text.RegularExpressions.RegEx]::new("--masterkey|--password|--license",
162-
[System.Text.RegularExpressions.RegexOptions]::IgnoreCase)
160+
$singleAsterixArgs = "--masterkey|--license|--licence|--trust|--password|--remove-trust|--apikey|--pw|--pfx-password|--proxyPassword";
161+
$connectionStringArgs = "--connectionstring";
163162

164-
if(($arguments -match "--masterkey|--password|--license"))
165-
{
166-
for($x=0;$x -lt $arguments.count; $x++)
167-
{
168-
if(($arguments[$x] -match "--masterkey|--password|--license|--trust|--remove-trust|--apikey|--password|--pw|--pfx-password|--proxyPassword"))
169-
{
170-
$arguments[$x+1] = $arguments[$x+1] -replace ".", "*"
171-
}
163+
# Scrub sensitive values
164+
for($x=0; $x -lt $arguments.count; $x++) {
165+
if($arguments[$x] -match $singleAsterixArgs) {
166+
$arguments[$x+1] = "**********"
167+
} elseif($arguments[$x] -match $connectionStringArgs) {
168+
$arguments[$x+1] = $arguments[$x+1] -replace "(password|pwd)=[^;|`"]*", "`$1=********"
172169
}
173-
$out = $arguments
174-
}
175-
elseif(($arguments -match "password|pwd"))
176-
{
177-
$out = $arguments -replace "(password|pwd)=[^;|`"]*", "`$1=********"
178-
}
179-
else
180-
{
181-
$out = @("************************")
182170
}
183-
return $out
171+
return $arguments
172+
}
173+
174+
function Write-VerboseWithMaskedCommand ($cmdArgs) {
175+
$copiedarguments = @() # hack to pass a copy of the array, not a reference
176+
$copiedarguments += $cmdArgs
177+
$maskedarguments = Get-MaskedOutput $copiedarguments
178+
Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
184179
}
185180

186181
function Invoke-OctopusServerCommand ($cmdArgs) {
187-
# todo: fix this up
188-
if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
189-
Write-Verbose "Executing command '$octopusServerExePath $($cmdArgs -join ' ')'"
190-
} else {
191-
$copiedarguments = @() # hack to pass a copy of the array, not a reference
192-
$copiedarguments += $cmdArgs
193-
$maskedarguments = Get-MaskedOutput $copiedarguments
194-
Write-Verbose "Executing command '$octopusServerExePath $($maskedarguments -join ' ')'"
195-
}
182+
183+
Write-VerboseWithMaskedCommand($cmdArgs);
184+
196185
$LASTEXITCODE = 0
197186
$output = & $octopusServerExePath $cmdArgs 2>&1
198187

@@ -210,15 +199,9 @@ function Test-TentacleExecutableExists {
210199
}
211200

212201
function Invoke-TentacleCommand ($cmdArgs) {
213-
# todo: fix this up
214-
if ((($cmdArgs -match "masterkey|password|license|pwd=").Count -eq 0)) {
215-
Write-Verbose "Executing command '$tentacleExePath $($cmdArgs -join ' ')'"
216-
} else {
217-
$copiedarguments = @() # hack to pass a copy of the array, not a reference
218-
$copiedarguments += $cmdArgs
219-
$maskedarguments = Get-MaskedOutput $copiedarguments
220-
Write-Verbose "Executing command '$tentacleExePath $($maskedarguments -join ' ')'"
221-
}
202+
203+
Write-VerboseWithMaskedCommand($cmdArgs);
204+
222205
$LASTEXITCODE = 0
223206
$output = & $tentacleExePath $cmdArgs 2>&1
224207

0 commit comments

Comments
 (0)