nomad job plan leaks VAULT_TOKEN in output

[gmichalec-pandora]

Nomad version

Nomad v1.3.4+ent

Operating system and Environment details

Debian 11

Issue

nomad job plan now requires a vault token to successfully run. The diff returned by the plan now includes the vault token, even if the token was submitted via environment variable or CLI option. This is a potential security risk - we run plans as part of our deploy pipeline, and this would result in the tokens being leaked in logs.

Reproduction steps

$  export VAULT_TOKEN=<THE ACTUAL VAULT TOKEN>
$ nomad job plan -verbose  /tmp/20220831121752/nomad.hcl.final
+/- Job: "sysad-sandbox-corp-dc6"
+/- Meta[DOCKER_TAG]: "0.0.8-master-121" => "master-latest"
+/- Meta[GIT_REPO]:   "https://bitbucket.savagebeast.com/scm/SYSAD/sysad-sandbox.git" => "ssh://git@bitbucket.savagebeast.com:2222/sysad/sysad-sandbox.git"
+   VaultToken:       "<THE ACTUAL VAULT TOKEN>"
+/- Task Group: "sysad-sandbox-group" (1 create/destroy update)
  +/- Task: "sysad-sandbox" (forces create/destroy update)
    +/- Config {
    ...

Expected Result

If the VAULT_TOKEN was not included in the original hcl file (i.e. passed via environment variable or CLI option), nomad job plan should not include it in the diff output.

Actual Result

The vault token is there, naked and for all to see ;)

Workaround

We can add a grep or other filter to scrub the vault token from the output, but this is both inconvenient and fragile

See also: #14422

[lgfa29]

Thanks for the report @gmichalec-pandora!

We shouldn't be reading the Vault token in the diff at all, so I opened #14424 to fix this 🙂

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.