fugue / credstash

A little utility for managing credentials in the cloud
Apache License 2.0
2.06k stars 214 forks source link

get_session globally caches session ignoring kwargs, potentially accessing the wrong account on subsequent accesses #255

Closed glyph closed 4 years ago

glyph commented 5 years ago

I have credstashes in separate AWS accounts that are combined into a single AWS org. I'd like to be able to access across them in a management tool by specifying different profiles in the same process lifetime.

get_session erroneously caches "the session" as a single variable (get_session._cached_session) rather than treating access key / session token / profile name as a cache key to identify which session we might be talking about.

This isn't a security issue / vulnerability in the traditional sense as it's not really exploitable by an outside actor - but it is dangerous, because someone assuming the API docs were correct and getSecret was pulling from their staging environment when they passed their staging profile in explicitly probably won't be expecting that their previous call to listSecrets in response to a different API call has permanently pointed their credstash module at their production account.