search

jdamata / terraform-provider-sonarqube

Terraform provider for managing Sonarqube configuration
GNU General Public License v3.0
62 stars 56 forks source link

Error message expose API token #201

Open pierresebastien opened 1 year ago

pierresebastien commented 1 year ago

Terraform Version

Terraform v1.5.6 on linux_amd64

Affected Resource(s)

Terraform Configuration Files

resource "sonarqube_user" "john_doe" {
  login_name = "gitlab-john-doe"
  name       = "John Doe"
  email      = "john.doe@example.com"
  is_local   = false
}

resource "sonarqube_user_external_identity" "john_doe" {
  login_name        = sonarqube_user.john_doe.login_name
  external_identity = "john-doe"
  external_provider = "gitlab"
}

Expected Behavior

Show me an error without exposing sensitive data.

Actual Behavior

The API token used by the provider is exposed in the logs. Example : Error updating SonarQube user: failed to execute http request: POST https://squ_0000000000000000000000000000000000000000:@sonarqube.example.com/api/users/update_identity_provider?login=gitlab-john-doe&newExternalIdentity=john-doe&newExternalProvider=gitlab giving up after 5 attempt(s). Request: &{0xab1940 0xc00021c600}

Steps to Reproduce

  1. terraform apply

With the current behavior, the token used to connect to my self-hosted SonarQube instance is displayed in my CI/CD logs and so other people having read access to my GitLab repository could use it to gain more access to SonarQube.

agaillar commented 1 year ago

We had the same problem when trying to configure permissions and groups.... The application was not available (error 502), and the credentials were included in the logs.

lkwg82 commented 5 months ago

A workaround until solved can be

(GNU sed)

terraform apply 2>&1 | sed -e 's/\(http request: GET https\?:\/\/\)[^@]*/\1***/g'

⚠️ plz check with an invalid host in ur environment