Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security : at startup, configuration secrets are printed on log.Info() output #2930

Closed
ngc104 opened this issue Mar 29, 2021 · 1 comment · Fixed by #2938
Closed

Security : at startup, configuration secrets are printed on log.Info() output #2930

ngc104 opened this issue Mar 29, 2021 · 1 comment · Fixed by #2938
Assignees
@prymitive
Labels
bug Something isn't working

Comments

@ngc104
Copy link

ngc104 commented Mar 29, 2021

Context

https://github.com/prymitive/karma/blob/main/internal/config/config.go#L424-L430

	out, _ := yaml.Marshal(cfg)
	log.Info().Msg("Parsed configuration:")
	scanner := bufio.NewScanner(bytes.NewReader(out))
	for scanner.Scan() {
		log.Info().Msg(scanner.Text())
	}
}

This prints the configuration on the log console (in Kubernetes, I can read it with kubectl logs <karma pod>)

Security problem

In my configuration, I have secrets for authentication on alertmanagers.

My secrets are printed there.

Fix suggestions

Here are suggestions of how this problem could be fixed.

  • print the configuration only in debug mode
  • parse the configuration lines where secrets can be, and replace them with stars (example : ... level=info msg=" Authorization: Bearer *************************")
  • don't print the configuration al all
  • put the configuration in variables and print the variable contents instead of the plain configuration file
@prymitive prymitive self-assigned this Mar 30, 2021
@prymitive
Copy link
Owner

You can disable logging configuration via cli flags or config option - https://github.com/prymitive/karma/blob/main/docs/CONFIGURATION.md#log

I’ll add sanitising of logged values of header map, it’s already done for other fields that contain secrets.

@prymitive prymitive added the bug Something isn't working label Mar 30, 2021
prymitive added a commit that referenced this issue Mar 30, 2021
@prymitive
fix(backend): sanitise header values before logging
c6f9858 
Fixes #2930.
@prymitive prymitive mentioned this issue Mar 30, 2021
Merged
prymitive added a commit that referenced this issue Mar 30, 2021
@prymitive
fix(backend): sanitise header values before logging
baf3114 
Fixes #2930.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@prymitive prymitive

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(backend): sanitise header values before logging prymitive/karma
2 participants
@prymitive @ngc104