Skip to content

Commit

Permalink
fix: Redact auth tokens when logging CLI args
Browse files Browse the repository at this point in the history
Redact anything that might be an auth token when logging the command line arguments to console. This occurs only when the log level is set to `info` or `debug`; the default is `warn`.
  • Loading branch information
szokeasaurusrex committed Aug 1, 2024
1 parent 61a3294 commit 2665d8a
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 8 deletions.
13 changes: 11 additions & 2 deletions src/commands/mod.rs
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
//! This module implements the root command of the CLI tool.
use std::env;
use std::io;
use std::process;
use std::{env, iter};

use anyhow::{bail, Result};
use clap::{value_parser, Arg, ArgAction, ArgMatches, Command};
Expand All @@ -12,6 +12,7 @@ use log::{debug, info, set_logger, set_max_level, LevelFilter};
use crate::api::Api;
use crate::config::{Auth, Config};
use crate::constants::{ARCH, PLATFORM, VERSION};
use crate::utils::auth_token;
use crate::utils::auth_token::AuthToken;
use crate::utils::logging::set_quiet_mode;
use crate::utils::logging::Logger;
Expand Down Expand Up @@ -281,7 +282,15 @@ pub fn execute() -> Result<()> {
info!(
"sentry-cli was invoked with the following command line: {}",
env::args()
.map(|a| format!("\"{a}\""))
// Check whether the previous argument is "--auth-token"
.zip(iter::once(false).chain(env::args().map(|arg| arg == "--auth-token")))
.map(|(a, is_auth_token_arg)| {
// Redact anything that comes after --auth-token or looks like a token
if is_auth_token_arg || auth_token::looks_like_auth_token(&a) {
return String::from("(redacted)");
}
format!("\"{a}\"")
})
.collect::<Vec<String>>()
.join(" ")
);
Expand Down
11 changes: 10 additions & 1 deletion src/utils/auth_token/auth_token_impl.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
//! Defines the AuthToken type, which stores a Sentry auth token.
use super::AuthTokenPayload;
use super::{AuthTokenPayload, ORG_AUTH_TOKEN_PREFIX, USER_TOKEN_PREFIX};
use super::{OrgAuthToken, UserAuthToken};
use std::fmt::{Display, Formatter, Result};

Expand Down Expand Up @@ -100,3 +100,12 @@ impl AuthTokenInner {
}
}
}

/// Returns whether a given string looks like it might be an auth token.
/// Specifically, we say a string looks like an auth token when it starts with one of the auth
/// token prefixes (sntrys_ or sntryu_) or passes the auth token soft validation.
pub fn looks_like_auth_token(s: &str) -> bool {
s.starts_with(ORG_AUTH_TOKEN_PREFIX)
|| s.starts_with(USER_TOKEN_PREFIX)
|| AuthToken::from(s).format_recognized()
}
5 changes: 4 additions & 1 deletion src/utils/auth_token/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ mod error;
mod org_auth_token;
mod user_auth_token;

pub use auth_token_impl::AuthToken;
pub use auth_token_impl::{looks_like_auth_token, AuthToken};
pub use org_auth_token::AuthTokenPayload;

use error::{AuthTokenParseError, Result};
Expand All @@ -14,3 +14,6 @@ use user_auth_token::UserAuthToken;

#[cfg(test)]
mod test;

const ORG_AUTH_TOKEN_PREFIX: &str = "sntrys_";
const USER_TOKEN_PREFIX: &str = "sntryu_";
3 changes: 1 addition & 2 deletions src/utils/auth_token/org_auth_token.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
use super::{AuthTokenParseError, Result};
use super::{AuthTokenParseError, Result, ORG_AUTH_TOKEN_PREFIX};
use serde::{Deserialize, Deserializer};

const ORG_AUTH_TOKEN_PREFIX: &str = "sntrys_";
const ORG_TOKEN_SECRET_BYTES: usize = 32;

/// Represents a valid org auth token.
Expand Down
3 changes: 1 addition & 2 deletions src/utils/auth_token/user_auth_token.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
use super::{AuthTokenParseError, Result};
use super::{AuthTokenParseError, Result, USER_TOKEN_PREFIX};

const USER_TOKEN_BYTES: usize = 32;
const USER_TOKEN_PREFIX: &str = "sntryu_";

/// Represents a valid User Auth Token.
#[derive(Debug, Clone)]
Expand Down

0 comments on commit 2665d8a

Please sign in to comment.