search

chocolatey / chocolatey-licensed-issues

Issues for Licensed Editions of Chocolatey
19 stars 13 forks source link

CCM - Sensitive package parameters shown in database & Deployment Step page #267

Closed ryanrichter94 closed 2 years ago

ryanrichter94 commented 2 years ago

What You Are Seeing?

When running an advanced deployment within CCM passing --package-parameters-sensitive they will be shown as plain text within the View Additional Deployment Step Details view. The sensitive package parameters are also written plain text within the dbo.DeploymentSteps table of the CCM DB.

What is Expected?

The sensitive package parameters that get passed in an advanced deployment should be left off or obfuscated where shown & written.

How Did You Get This To Happen? (Steps to Reproduce)

Mocked up the following advanced deployment step within CCM: choco upgrade chocolatey-agent --package-parameters-sensitive="'/Username:MyUsername /EnterPassword=""SuperSecretPassword""'"

Screenshots

image image

References

┆Issue is synchronized with this Gitlab issue by Unito ┆Milestone: 0.7.0

verzada commented 2 years ago

Just an FYI, there's a typo in the example given:

--package-parameters-sensetive instead of --package-parameters-sensitive

The parameters looks like this:

--install-arguments-sensitive=VALUE --package-parameters-sensitive=VALUE ref https://docs.chocolatey.org/en-us/choco/commands/upgrade