Github App Private Key printed on auth failure

[james-callahan]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

When trying to create an application, I saw in both a popup in the frontend UI, and in the logs from the server:

time="2023-02-07T03:07:17Z" level=info msg="finished unary call with code InvalidArgument" error="rpc error: code = InvalidArgument desc = application spec for argocd-admin is invalid: InvalidSpecError: repository not accessible: repositories not accessible: &Repository{Repo:https://github.com/james-callahan/gitops,Username:,Password:,SSHPrivateKey:,ConnectionState:ConnectionState{Status:,Message:,ModifiedAt:<nil>,},InsecureIgnoreHostKey:false,Insecure:false,EnableLFS:false,TLSClientCertData:,TLSClientCertKey:,Type:,Name:,InheritedCreds:true,EnableOCI:false,GithubAppPrivateKey:-----BEGIN RSA PRIVATE KEY-----\nTHEACTUALPRIVATEKEY\n-----END RSA PRIVATE KEY-----\n,GithubAppId:12345,GithubAppInstallationId:12345,GitHubAppEnterpriseBaseURL:,Proxy:,Project:,GCPServiceAccountKey:,ForceHttpBasicAuth:false,}" grpc.code=InvalidArgument grpc.method=Update grpc.service=application.ApplicationService grpc.start_time="2023-02-07T03:07:17Z" grpc.time_ms=38.558 span.kind=server system=grpc

where THEACTUALPRIVATEKEY is the actual private key for my github app.

Expected behavior

secret fields shouldn't be printed as part of error messages

Version

argocd-server: v2.6.0+acc554f

[crenshaw-dev]

Fixed with release 2.6.1. Thanks for catching this!

For future security issues, please start by reporting according to SECURITY.md. No big deal in this case, since it was an easy patch. But for more complicated fixes, reporting via private channels makes it a lot easier for the Argo team to develop/validate the patch(es) so we can roll them out in a responsible way.