search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4k stars 2.98k forks source link

az command leaking data which is marked as secret in the swagger #27547

Open nascarsayan opened 1 year ago

nascarsayan commented 1 year ago

Describe the bug

az command is not masking the user provided password.

Related command

az connectedvmware vcenter connect

Errors

NIL

Issue script & Debug output

$ az connectedvmware vcenter connect --debug -g snaskar-rg -l
northeurope -c /subscriptions/204898ee-cd13-4332-b9d4-55ca5c25496d/resourceGroups/snaskar-rg/providers/Microsoft.ExtendedLocation/customLocations/snaskar-vmware-special-char-cl --name snaskar-vmware-special-char-vc --fqdn arcvmw-vcen80.fareast.corp.microsoft.com

...
cli.azure.cli.core.sdk.policies: Request method: 'PUT'                                                      [0/2969]
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies:     'Content-Length': '408'
cli.azure.cli.core.sdk.policies:     'Accept': 'application/json'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': '672763f3-6679-11ee-a038-c195d7941ead'
cli.azure.cli.core.sdk.policies:     'CommandName': 'connectedvmware vcenter connect'
cli.azure.cli.core.sdk.policies:     'ParameterSetName': '--debug -g -l -c --name --fqdn --username --password'     cli.azure.cli.core.sdk.policies:     'User-Agent': 'AZURECLI/2.52.0 azsdk-python-mgmt-connectedvmware/1.0.0b1 Python
/3.8.10 (Linux-5.15.0-78-generic-x86_64-with-glibc2.29)'
cli.azure.cli.core.sdk.policies:     'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:                                                                      cli.azure.cli.core.sdk.policies: {"location": "northeurope", "extendedLocation": {"type": "CustomLocation", "name": "/subscriptions/204898ee-cd13-4332-b9d4-55ca5c25496d/resourceGroups/snaskar-rg/providers/Microsoft.ExtendedLocation/customLocations/snaskar-vmware-special-char-cl"}, "properties": {"fqdn": "arcvmw-vcen80.fareast.corp.microsoft.com",
 "credentials": {"username": "vsphere.local\\svc_arcbridge", "password": "superstringpass"}}}

Expected behavior

The secret value should be masked from the response body.. we can make changes in autorest / knack, or whichever library suits best to hide a field which contains sensitive info.

Environment Summary

azure-cli 2.52.0 core 2.52.0 telemetry 1.1.0

Extensions: arcappliance 1.0.0 connectedk8s 1.4.0 connectedmachine 0.6.0 connectedvmware 0.2.1 customlocation 0.1.3 k8s-extension 1.4.5 resource-graph 2.1.0 scvmm 0.1.8 connectedvmware 0.1.8 (dev) /home/arcvmware/Code/ms/azure/cli/azure-cli-extensions/src/connectedv mware scvmm 0.1.6 (dev) /home/arcvmware/Code/ms/azure/cli/azure-cli-extensions/src/scvmm

Dependencies: msal 1.24.0b1 azure-mgmt-resource 23.1.0b2

Python location '/home/arcvmware/lib/azure-cli/bin/python' Extensions directory '/home/arcvmware/.azure/cliextensions' Development extension sources: /home/arcvmware/Code/ms/azure/cli/azure-cli-extensions

Python (Linux) 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]

Legal docs and information: aka.ms/AzureCliLegal

Additional context

No response

azure-client-tools-bot-prd[bot] commented 1 year ago

Hi @nascarsayan,

2.52.0 is not the latest Azure CLI(2.53.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

jiasli commented 1 year ago

Duplicate of https://github.com/Azure/azure-cli/issues/23740