Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(#1000) Do not display sensitive persisted package arguments #1002

Merged
merged 2 commits into from
May 30, 2023
Merged

(#1000) Do not display sensitive persisted package arguments #1002

merged 2 commits into from
May 30, 2023

Conversation

gep13
Copy link
Member

@gep13 gep13 commented May 30, 2023

Description Of Changes

When the ability to show remembered arguments in Chocolatey GUI was
first introduced, code from the set_package_config_for_upgrade (which
was renamed to SetConfigFromRememberedArguments) method was borrowed,
as it was doing very similar work. However, the code that was brought
over to Chocolatey GUI failed to realise that after splitting the
arguments on " --", when passed into the
arguments_contain_sensitive_information (which was renamed to
SensitiveArgumentsProvided) that a sensitive variable would no longer
be detected as this method expects that all arguments under test start
with a "-".

Motivation and Context

Ensure that no sensitive persisted arguments are displayed through Chocolatey GUI.

Testing

  1. Enable the Chocolatey feature to use remembered arguments
  2. Install a package using Chocolatey CLI where a sensitive argument is passed in, for example `choco install packageA --user=bob --password=bill"
  3. Open Chocolatey GUI and open the details window for the package that you just installed
  4. Click the "View Package Arguments" button
  5. Ensure that the value of the password argument is not shown

Operating Systems Testing

Windows 10

Change Types Made

  • Bug fix (non-breaking change).
  • Feature / Enhancement (non-breaking change).
  • Breaking change (fix or feature that could cause existing functionality to change).
  • Documentation changes.
  • PowerShell code changes.

Change Checklist

  • Requires a change to the documentation.
  • Documentation has been updated.
  • Tests to cover my changes, have been added.
  • All new and existing tests passed?
  • PowerShell code changes: PowerShell v2 compatibility checked?

Related Issue

Fixes #1000

gep13 added 2 commits May 30, 2023 11:40
@gep13
(chocolatey#1000) Ensure sensitive arguments are detected
42566a0 
When the ability to show remembered arguments in Chocolatey GUI was
first introduced, code from the set_package_config_for_upgrade (which
was renamed to SetConfigFromRememberedArguments) method was borrowed,
as it was doing very similar work.  However, the code that was brought
over to Chocolatey GUI failed to realise that after splitting the
arguments on " --", when passed into the
arguments_contain_sensitive_information (which was renamed to
SensitiveArgumentsProvided) that a sensitive variable would no longer
be detected as this method expects that all arguments under test start
with a "-".

Without a major refactoring of how this works, the simplest way is to
put "--" back on the start of each argument, before passing into the
arguments_contain_sensitive_information method, that way, it will
correctly return whether it is a sensitive argument or not.

There is a larger discussion around whether a sensitive argument should
be persisted or not, but that is otwith the scope of this change.
@gep13
(maint) Remove usage of obsolete methods
47e2093 
All of these methods have been marked as obsolete in Chocolatey
codebase, so switched to using the newly named versions.
@gep13 gep13 requested a review from AdmiringWorm May 30, 2023 13:12
@gep13 gep13 mentioned this pull request May 30, 2023
Merged
10 tasks
@gep13 gep13 changed the title Do not display sensitive persisted package arguments (#1000) Do not display sensitive persisted package arguments May 30, 2023
AdmiringWorm
AdmiringWorm approved these changes May 30, 2023
View reviewed changes
Copy link
Member

@AdmiringWorm AdmiringWorm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@AdmiringWorm AdmiringWorm merged commit a0082c2 into chocolatey:master May 30, 2023
@AdmiringWorm
Copy link
Member

@gep13 great work on getting this updated

@gep13 gep13 deleted the issue-1000 branch May 30, 2023 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AdmiringWorm AdmiringWorm AdmiringWorm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gep13 @AdmiringWorm