Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of checking debug mode while logging sensitive information #107658

Closed
nevercodecorrect opened this issue Jan 9, 2024 · 1 comment · Fixed by #107676
Closed

Lack of checking debug mode while logging sensitive information #107658

nevercodecorrect opened this issue Jan 9, 2024 · 1 comment · Fixed by #107676
Assignees
@ochlocracy @jbouwh
Labels
integration: alexa

Comments

@nevercodecorrect
Copy link

The problem

Summary

In the code here, the lwa params containing the accept_grant_code along with client_secret will be output into the log.

Details

Information used for alexa authentication will output to log regradless of whether the program is running on debug mode or not. Based on the condition checking here, lwa parameters should only output when the program is running as debug mode. This type of issue is described in CWE-532: Insertion of Sensitive Information into Log File

A malicious actor could collect the plaintext sensitive information via the log.

What version of Home Assistant Core has the issue?

2024.1.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Core

Integration causing the issue

No response

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response
@home-assistant
Copy link

home-assistant bot commented Jan 9, 2024

Hey there @home-assistant/cloud, @ochlocracy, @jbouwh, mind taking a look at this issue as it has been labeled with an integration (alexa) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of alexa can trigger bot actions by commenting:

  • @home-assistant close Closes the issue.
  • @home-assistant rename Awesome new title Renames the issue.
  • @home-assistant reopen Reopen the issue.
  • @home-assistant unassign alexa Removes the current integration label and assignees on the issue, add the integration domain after the command.
  • @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
  • @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

alexa documentation
alexa source
(message by IssueLinks)

@jbouwh jbouwh mentioned this issue Jan 9, 2024
Merged
20 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Feb 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ochlocracy ochlocracy

@jbouwh jbouwh

Labels
integration: alexa
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Redact sensitive data in alexa debug logging home-assistant/core
4 participants
@ochlocracy @joostlek @jbouwh @nevercodecorrect