search

OctopusDeploy / OctopusDSC

| Public | A PowerShell DSC resource for installing Octopus Deploy & Tentacles
Other
1 stars 60 forks source link

[Bug fix] Prevent exposing API key secret in stdout logging #270

Closed paulegradie closed 3 years ago

paulegradie commented 3 years ago

Background

A customer revealed to us that we are exposing an api key secret during a call to Write-Verbose in one of our configuration scripts for cTentancleAgent. This was due to a redundant bit of logging that was not passed through our secret scrubber function Get-MaskedOutput. Removing the logging line resolves this problem while leaving the masked logging in tact.

Results

Duplicate logging no longer occurs.

How to review this PR

We current provide test coverage on the methods used to mask outputs, however we do not text stdout via assent.

This issue has been reported to the School Security for their ongoing secrets related investigations.

paulegradie commented 3 years ago

API key printed via DSC

rikrak commented 3 years ago

Is there any way to detect if we've been affected by this bug? ...or is it simpler to just change the API key?

matt-richardson commented 3 years ago

You'd have to use the audit log to review changes made via that api key. Best bet is to also change the api key, just in case.

attritionorg commented 3 years ago

@paulegradie Sorry for the late question, but what are the default permissions for where this was logged? Is this a proactive "just in case" fix and the file was e.g. 600 or equiv, or was the file world-readable? Thanks!