search

balena-io / balena-cli

The official balena CLI tool.
Apache License 2.0
452 stars 138 forks source link

Exposed Sentry.io authentication details in URI #1495

Open gitty8 opened 4 years ago

gitty8 commented 4 years ago

Potential security breach. See /lib/config.ts

pdcastro commented 4 years ago

Thanks for reporting it @gitty8. 👍 I think you mean the sentry.io URL in this line, right?

For context (for anyone else reading this issue), we use Sentry.io to automatically / remotely report uncaught errors (bugs) in the CLI. The username and password are not the CLI user's, but rather auth tokens generated to authenticate the balena CLI Sentry account/project. We should still try avoid exposing it, nonetheless.

I suppose we could move the tokens (username and password) from the Sentry URL to HTTP headers, as described in the Sentry Authentication docs. As for where to store the tokens, storing in the source code also sounds less than ideal (especially in an open-source project). Perhaps we could fetch the tokens from a balena endpoint, which in turn could be linked to balena user authentication. (The latter would not work with openBalena, though, which allows the balena CLI to be used without a balenaCloud account.)

pdcastro commented 4 years ago

I have taken the liberty of editing the issue title. The original title would give the impression that it is the CLI user's username and password that are exposed, which might cause some "panic". I don't mean to diminish the importance of the issue, just to more accurately represent its meaning.

Thanks again for reporting it. 👍

ahmetuludag commented 2 months ago

@pdcastro

If you use this notation: balena login --credentials --email johndoe@gmail.com --password secret

it actually sends your email and secret! So this issue should be prioritized I think.

pdcastro commented 2 months ago

CC: @thgreasi @dfunckt @klutchell

thgreasi commented 2 months ago

Hi @ahmetuludag , Can you provide more information about the request that you are seeing being sent?

ahmetuludag commented 2 months ago

Hi @thgreasi

I've traced balena-cli network usage using mitmproxy and here's what I found:

balena-cli-trace

It's sending sentry.io usage details and if you login by parameters like this:

balena login --credentials --email test@balena.com --password s3cR3T

It's sending your email and password in JSON payload!