search

cloudfoundry / java-buildpack

Cloud Foundry buildpack for running Java applications
Apache License 2.0
439 stars 2.58k forks source link

Dynatrace Integration Prints API Token Secret #967

Open TimGerlach opened 2 years ago

TimGerlach commented 2 years ago

Observed Issue

When using the Dynatrace integration of this buildpack it will log the complete API token into the staging logs of Cloud Foundry.

For example when running cf push with Dynatrace enabled it looks like the following:

-----> Downloading Dynatrace One Agent latest from https://<DYNATRACE_URL>/api/v1/deployment/installer/agent/unix/paas/latest?include=java&bitness=64&Api-Token=dt0c01.NDL63DNEONLLGXTYFDMZ4J47.C5YSHCIF22EWGTVZ2V7PLTZTR4XI6GSWEF4AARMFXLMKOOJUJB6QTTDXLY3J4QS2 (found in cache)

Expected Behaviour

According to the Dynatrace API token format specification the public portion of the token can be treated like a public secret key. This allows for identifying which token was used for staging the app. The secret portion of the token, however, should not be logged to avoid that it shows up in CI/CD pipelines, for example.

Therefore, a better way of logging the API token would be like so:

dt0c01.NDL63DNEONLLGXTYFDMZ4J47.<masked>
rbamberger commented 2 years ago

The integration uses the download function from the Buildpack-internal base component which prints out the whole Url. We are currently evaluating the option to adapt the sanitizer to prevent the logging of the secret portion of the key.