New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hide string from logs in type_string when using secret=1 #2054
Conversation
Great PR! Please pay attention to the following items before merging: Files matching
This is an automatically generated QA checklist based on modified files |
fbd149e
to
9f30edd
Compare
Codecov Report
@@ Coverage Diff @@
## master #2054 +/- ##
=======================================
Coverage 79.84% 79.84%
=======================================
Files 70 70
Lines 7292 7292
=======================================
Hits 5822 5822
Misses 1470 1470
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice to extend unit tests but it looks generally good.
9f30edd
to
2c6114a
Compare
Actually there are plenty of UT for |
cecf1c5
to
8aa9ce2
Compare
while (my ($key, $value) = splice(@args, 0, 2)) { | ||
if ($key =~ tr/0-9a-zA-Z_//c) { | ||
# only quote if needed | ||
$key = pp($key); | ||
} | ||
$value = "[masked]" if ($key eq 'text' && $should_hide); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest not doing this here. This is something which should be done inside the caller.
But if we wanna keep it. it looks better then before 👍 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm, I didn't checked all log_call()
calles. There might be some who use text
as the key for secret value!
As I say, this is just bad code and should not be done in this function!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would you want to handle that in the caller and not here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was originally changed here: https://github.com/os-autoinst/os-autoinst/pull/2002/files#diff-3420c7e01f73caee7d97053af39990e3297daf42d06e0fc8848f78af1a5e009eL1464
and it was accepted, I'm just correcting it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would you want to handle that in the caller and not here?
Imagine code like this:
sub setup_secret {
my (%args) = @_;
bmwqemu::log_call(@_, secret => 1);
my $my_super_secret_password_is = $args{psk};
}
I understand the log_call()
function in that way, that it log parameters which are given. And there is just no format of them.
A workaround for me could be something like:
sub setup_secret {
my (%args) = @_;
bmwqemu::log_call(@_, -mask => ['psk']);
my $my_super_secret_password_is = $args{psk};
}
And hope that no one will use -mask
as parameters for the calling function :).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not exactly sure I understand your implementation proposal but it sounds like a better approach to explicitly pass a secret string around in an explicitly called variable rather than passing a string or text around and relying on an additional boolean variable to be correctly evaluated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not exactly sure I understand your implementation proposal but it sounds like a better approach to explicitly pass a secret string around in an explicitly called variable rather than passing a string or text around and relying on an additional boolean variable to be correctly evaluated
Is this a question for me?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My comment was a response to @cfconrad. That implicitly includes a suggestion to you that you could try to implement it like that, if you can :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed with @cfconrad that he will provide a PR with his implementation so we can compare better an decide what works better for us.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here are my 5cent of this: #2062
bmwqemu::log_call(string => $string, max_interval => $max_interval, wait_screen_changes => $wait, wait_still_screen => $wait_still, | ||
timeout => $wait_timeout, similarity_level => $wait_sim_level); | ||
timeout => $wait_timeout, similarity_level => $wait_sim_level, secret => $args{secret}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bmwqemu::log_call(string => $string, max_interval => $max_interval, wait_screen_changes => $wait, wait_still_screen => $wait_still, | |
timeout => $wait_timeout, similarity_level => $wait_sim_level); | |
timeout => $wait_timeout, similarity_level => $wait_sim_level, secret => $args{secret}); | |
bmwqemu::log_call(string => ($args{secret}?'[masked]' : $string), max_interval => $max_interval, wait_screen_changes => $wait, wait_still_screen => $wait_still, | |
timeout => $wait_timeout, similarity_level => $wait_sim_level); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please don't repeat the logic again which should already be handled within bmwqemu.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Either we put the logic here or bmwqemu. I don't know which place is better.. so, I'm gonna think loud...
The good thing of having it here would be that we don't need to care about text|string
in log_call()
, but the problem is if we call log_call
from some other place than here is that we don't have the ability to hide a secret.
So, if we keep this logic in bmwqemu, we make sure that any call to log_call
with secret => 1
will be hidden, which is probably better..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The good thing about our tests is that they show an effect of your change. See https://github.com/os-autoinst/os-autoinst/runs/6407456296?check_suite_focus=true#step:3:637
7:
7: # Failed test 'log_call hides sensitive info'
7: # at ./12-bmwqemu.t line 68.
7: # STDERR:
7: # [2022-05-12T14:10:27.956610Z] [debug] <<< main::log_call_test_secret(text="passwd\n", secret=1)
7: #
7: # doesn't match:
7: # (?^u:\<\<\<\ main\:\:log_call_test_secret\(text\=\"\[masked\]\"\,\ secret\=1\))
7: # as expected
7: # Looks like you failed 1 test of 5.
7:
7: # Failed test 'log_call'
7: # at ./12-bmwqemu.t line 69.
To reproduce you should be able to simply call prove -I. t/12-bmwqemu.t
, then extend the test according to your expectations.
Likely you want to extend t/03-testapi.t if bmwqemu.pm itself is behaving fine but calling log_call
incorrectly.
while (my ($key, $value) = splice(@args, 0, 2)) { | ||
if ($key =~ tr/0-9a-zA-Z_//c) { | ||
# only quote if needed | ||
$key = pp($key); | ||
} | ||
$value = "[masked]" if ($key eq 'text' && $should_hide); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would you want to handle that in the caller and not here?
bmwqemu::log_call(string => $string, max_interval => $max_interval, wait_screen_changes => $wait, wait_still_screen => $wait_still, | ||
timeout => $wait_timeout, similarity_level => $wait_sim_level); | ||
timeout => $wait_timeout, similarity_level => $wait_sim_level, secret => $args{secret}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please don't repeat the logic again which should already be handled within bmwqemu.
I think it is important to not only understand how to fix this but also why we doing this second time ... |
8aa9ce2
to
182c12e
Compare
|
The funny thing is that the only place where we are passing
and I would say this is the most sensitive case where we should consider... I have added a regex for |
Background: os-autoinst#2002 This PR is printing $string on the logs regardless if it's a secret or not.
182c12e
to
187b99b
Compare
BTW, if
|
you can not state this , for example when you really entering password it won't be displayed . e.g
|
if this is the case than I would assume single line https://github.com/os-autoinst/os-autoinst/pull/2054/files#diff-443ffbdc622ec9236041884826df475d69e3fa8ce40ec03c043c3ba66fae921bR222 would do the job and fix the problem . All other changes which comes together is a refactoring of existing approach and IMHO very questionable one . I really like initial approach suggested by Yannis the only missing piece in it is the fact that we have not only "text" but also "string" ... |
Not only that. |
yes, you are right, it was some misunderstanding of mine, please ignore this comment :) |
than how it is working here https://openqa.suse.de/tests/8736413/logfile?filename=autoinst-log.txt ? ( if you look for |
Right. I don't know. But take a look here: https://openqa.suse.de/tests/8405529/logfile?filename=autoinst-log.txt (2 months ago)
https://openqa.suse.de/tests/8738443/logfile?filename=autoinst-log.txt (recent)
|
I don't like that we don't have clear understanding what is going on but trying to "fix" something. You showing me place where password is exposed and I showing another where it is hidden without understanding why it happening like this there is no way to say if your patch make sense or not . I was looking closer into "my" "positive case " and it looks really strange , there is NO logging of
|
Correct. Same as for the case of VNC consoles: If you use |
This pull request is now in conflicts. Could you fix it? 🙏 |
#2062 should replace this. Please bring in new changes with tests in case something is still missing |
Background: #2002
This PR is printing $string on the logs regardless if it's a secret or not.
https://progress.opensuse.org/issues/111010
This should avoid things like