Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails due to newline in token #816

Closed
Zaperex opened this issue Nov 23, 2023 · 4 comments
Closed

Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails due to newline in token #816

Zaperex opened this issue Nov 23, 2023 · 4 comments
Labels
kind/bug Something isn't working post-FF status/triage upstream

Comments

@Zaperex
Copy link
Member

Zaperex commented Nov 23, 2023
edited

Describe the bug

When setting up the gitlab discovery plugin with gitlab integration with the helm chart, the following error gets returned when the gitlab integration token contains a newline character:

2023-11-22T22:31:04.652Z catalog error GitlabDiscoveryEntityProvider:mygitlab refresh failed, TypeError: [REDACTED] is not a legal HTTP header value [REDACTED] is not a legal HTTP header value type=plugin target=GitlabDiscoveryEntityProvider:mygitlab class=GitlabDiscoveryEntityProvider$1 taskId=GitlabDiscoveryEntityProvider:mygitlab:refresh taskInstanceId=36d950ed-0ee9-4fbe-b462-948af9899143 stack=TypeError: glpat-<rest of the exposed token>
is not a legal HTTP header value
at validateValue (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:684:9)
at Headers.append (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:836:3)
at new Headers (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:761:11)
at new Request (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:1231:19)
at /opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:1449:19
at new Promise (<anonymous>)
at Object.fetch [as default] (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/node_modules/node-fetch/lib/index.js:1447:9)
at GitLabClient.pagedRequest (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:300:53)
at GitLabClient.listProjects (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:68:19)
at paginated.archived (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:469:27)
at paginated (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:321:17)
at paginated.next (<anonymous>)
at GitlabDiscoveryEntityProvider$1.refresh (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:481:22)
at fn (/opt/app-root/src/dynamic-plugins-root/backstage-plugin-catalog-backend-module-gitlab-dynamic-0.3.3/dist/index.cjs.js:446:24)
at TaskWorker.fn (/opt/app-root/src/node_modules/@backstage/backend-tasks/dist/index.cjs.js:599:15)
at TaskWorker.runOnce (/opt/app-root/src/node_modules/@backstage/backend-tasks/dist/index.cjs.js:350:18)

Expected Behavior

Token is not exposed when errors occur (should be [REDACTED] throughout the entire error log)

What are the steps to reproduce this bug?

  1. Enable the Gitlab Dynamic Plugin
global:
  auth:
    backend:
      enabled: true
      existingSecret: ''
      value: ''
  clusterRouterBase: apps-crc.testing
  dynamic:
    includes:
      - dynamic-plugins.default.yaml
    plugins:
      - disabled: false
        package: >-
          ./dynamic-plugins/dist/backstage-plugin-catalog-backend-module-gitlab-dynamic
  1. Add the gitlab entity provider configurations in your app configurations (via ConfigMap)
catalog:
  providers:
    gitlab: 
      mygitlab: 
        group: <your-group>
        host: gitlab.com
        schedule: 
          frequency: 
            minutes: 1
          initialDelay: 
            seconds: 15
          timeout: 
            minutes: 1
  1. Populate GITLAB_TOKEN with the gitlab token in a Secret and apply both the Secret and ConfigMap to the Helm Chart. But accidentally encode it with a \n in it. Ex: suppose token is abc then insert abc\n instead.
  2. Start the backstage instance and wait for the GitlabDiscoveryEntityProvider to start fetching. It should throw the error described above when it tries to fetch, and expose the gitlab token in the stack trace.

Versions of software used and environment

RHDH image: quay.io/rhdh/rhdh-hub-rhel9:1.0-187
Helm Chart: https://github.com/rhdh-bot/openshift-helm-charts/raw/developer-hub-1.0-187-CI/charts/redhat/redhat/developer-hub/1.0-187-CI/developer-hub-1.0-187-CI.tgz

Upstream Issue

backstage/backstage#21503
@Zaperex Zaperex added kind/bug Something isn't working status/triage labels Nov 23, 2023
@Zaperex Zaperex changed the title Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails due to invalid token Nov 23, 2023
@Zaperex Zaperex changed the title Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails due to invalid token Gitlab Integration Token exposed when gitlab discovery plugin refresh task fails due to newline in token Nov 23, 2023
@Zaperex
Copy link
Member Author

Zaperex commented Nov 27, 2023

Should be resolved in upstream for the 1.21.0 release.

@Zaperex Zaperex closed this as completed Nov 27, 2023
@kadel
Copy link
Member

kadel commented Dec 19, 2023

We should not close this until we have fix in the showcase

@kadel kadel reopened this Dec 19, 2023
@nickboldt
Copy link
Member

Depends on #874

@jasperchui
Copy link

Resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working post-FF status/triage upstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kadel @nickboldt @jasperchui @Zaperex