search

cf-platform-eng / concourse-pypi-resource

A Concourse CI resource for Python PyPI packages.
Apache License 2.0
11 stars 15 forks source link

Pypi password exposed in command output #14

Closed idavidmcdonald closed 4 years ago

idavidmcdonald commented 4 years ago

We used this concourse resource but set the incorrect password for pypi.

We got the following output in Concourse which included various secrets such as the pypi password:

HTTPError: 403 Client Error: Invalid or non-existent authentication information. for url: https://xxxxxSECRETxxxxxxx:xxxxxSECRETxxxxxxx@test.pypi.org/legacy/
Finding package to upload
Glob notifications-python-client-master/dist/*.whl matched files: ['/tmp/build/put/notifications-python-client-master/dist/notifications_python_client-5.4.0-py2.py3-none-any.whl']
Uploading /tmp/build/put/notifications-python-client-master/dist/notifications_python_client-5.4.0-py2.py3-none-any.whl version 5.4.0
Traceback (most recent call last):
  File "/opt/resource/out", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/pypi_resource/out.py", line 69, in main
    print(json.dumps(out(sys.argv[1], json.load(sys.stdin))))
  File "/usr/local/lib/python3.6/site-packages/pypi_resource/out.py", line 63, in out
    upload_package(pkgpath, input)
  File "/usr/local/lib/python3.6/site-packages/pypi_resource/out.py", line 52, in upload_package
    subprocess.run(twine_cmd, stdout=sys.stderr.fileno(), check=True)
  File "/usr/local/lib/python3.6/subprocess.py", line 418, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['twine', 'upload', '--repository-url', 'https://xxxxxSECRETxxxxxxx:xxxxxSECRETxxxxxxx@test.pypi.org/legacy/', '--username', 'xxxxxSECRETxxxxxxx', '--password', 'xxxxxSECRETxxxxxxx', '/tmp/build/put/notifications-python-client-master/dist/notifications_python_client-5.4.0-py2.py3-none-any.whl']' returned non-zero exit status 1.

I think we shouldn't be logging out private keys like this.

We also ran this with the correct password and again got our password outputted:

Uploading distributions to https://xxxxxSECRETxxxxxxx:xxxxxSECRETxxxxxxx@test.pypi.org/legacy/
cf-gitbot commented 4 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

marco-m-pix4d commented 4 years ago

hello @petewall we are happily using this resource but are concerned about this secret leak. Do you know if this bug is planned to be fixed? Would you be open to a PR ? thanks!

petewall commented 4 years ago

Hi @marco-m-pix4d ! Thanks for reaching out. Yeah, we'd totally entertain a PR. I'll make sure the CI is in place to test and merge in PRs.

manuel-cc commented 4 years ago

Hi @petewall, please find the proposed PR #24 to solve this issue.

mboldt commented 4 years ago

Thank you, @manuel-pix4d. We're doing a bit of cleanup to bring (and keep) dependencies up-to-date, automatically test PRs, etc. We will get your PR tested and merged when that's ready. Thank you for your patience!

mboldt commented 4 years ago

Merged #24 (sorry, I typoed the commit message and it says 21). New image now published on Docker Hub as latest (also tagged as version 0.5.2).

Thank you for this contribution!