Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent leaking credentials to the console if malformed JSON is given #11599

Merged
merged 1 commit into from
Apr 27, 2022
Merged

Prevent leaking credentials to the console if malformed JSON is given #11599

merged 1 commit into from
Apr 27, 2022

Conversation

zhimsel
Copy link
Contributor

@zhimsel zhimsel commented Apr 27, 2022

If the JSON credentials are unable to be properly parsed, the error
message will output those very credentials in plain text to the
console. This is obviously a serious security concern for any CI systems
running Terraform that may produce this error.

There's really no reason to output the "this string is what we can't
parse" in the error message. The err is sufficient enough. The user
can inspect their own JSON credentials file.

I'm sure this can be done a better way, maybe by outputting it to the
debug logs; however, this is a quick and easy fix to remove the security
concern from this issue immediately while a better solution can be
found.

Closes #11598

@zhimsel
Don't output malformed credentials in error message
50d38b9 
If the JSON credentials are unable to be properly parsed, the error
message will output those very credentials _in plain text_ to the
console. This is obviously a serious security concern for any CI systems
running Terraform that may produce this error.

There's really no reason to output the "this string is what we can't
parse" in the error message. The `err` is sufficient enough. The user
can inspect their own JSON credentials file.

I'm sure this can be done a better way, maybe by outputting it to the
debug logs; however, this is a quick and easy fix to remove the security
concern from this issue immediately while a better solution can be
found.
@zhimsel zhimsel mentioned this pull request Apr 27, 2022
Closed
@github-actions github-actions bot requested a review from c2thorn April 27, 2022 16:32
megan07
megan07 approved these changes Apr 27, 2022
View reviewed changes
Copy link
Contributor

@megan07 megan07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about that! Thanks for contributing!

@megan07 megan07 merged commit 21d0729 into hashicorp:main Apr 27, 2022
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@megan07 megan07 megan07 approved these changes

@c2thorn c2thorn Awaiting requested review from c2thorn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Credentials are leaked to the console with malformed JSON input
2 participants
@zhimsel @megan07