-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Github App Private Key printed on auth failure #12309
Labels
bug
Something isn't working
Comments
crenshaw-dev
added a commit
to crenshaw-dev/argo-cd
that referenced
this issue
Feb 7, 2023
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev
added a commit
that referenced
this issue
Feb 8, 2023
* fix: sanitize repo creds in error messages (#12309) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * simplify Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * comment Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * include error message Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
crenshaw-dev
added a commit
that referenced
this issue
Feb 8, 2023
* fix: sanitize repo creds in error messages (#12309) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * simplify Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * comment Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * include error message Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Fixed with release 2.6.1. Thanks for catching this! For future security issues, please start by reporting according to SECURITY.md. No big deal in this case, since it was an easy patch. But for more complicated fixes, reporting via private channels makes it a lot easier for the Argo team to develop/validate the patch(es) so we can roll them out in a responsible way. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist:
argocd version
.Describe the bug
When trying to create an application, I saw in both a popup in the frontend UI, and in the logs from the server:
where
THEACTUALPRIVATEKEY
is the actual private key for my github app.Expected behavior
secret fields shouldn't be printed as part of error messages
Version
The text was updated successfully, but these errors were encountered: