JSSImporter shows passwords in terminal output

[grahampugh]

This is new since curl started to be employed. We formerly didn't get credentials until -vvvv.

[macmule]

autopkg run -vvv jHelper\ GUI.download.recipe

{'Output': {'version': u'1.0'}} {u'API_PASSWORD': u’PASSWORD, u'API_USERNAME': u’USERNAME’, 'AUTOPKG_VERSION': u'1.0.4', 'CHECK_FILESIZE_ONLY': False, 'CURL_PATH': '/usr/bin/curl', u'GIT_PATH': u'/Applications/Xcode.app/Contents/Developer/usr/bin/git', u'JSS_REPOS': [{ name = “DP NAME“; password = “Password; }],

[grahampugh]

@macmule is right -vvv shows the AutoPkg passwords. But -v shouldn't show these values in the curl output.

[crystalllized]

I'm getting credentials in my output without any -v flags at all. Screenshot attached.

[conor-machugh]

Same as above here.

[grahampugh]

Changed the title, since others report the password getting exposed without -v.

[conor-machugh]

So just to add a bit to this, all verbose entries in the autopkg_results.plist return as 0. Even though the output is most certainly verbose.

E.g.

<key>verbose</key>
                <integer>0</integer>

[rodgerramjet26]

I changed the logging level in curl_adapter.py from DEBUG (logger.setLevel(logging.DEBUG)) to INFO and it fixed it for me ie. logger.setLevel(logging.INFO).

Not sure if this is the actual underlying issue or not, but it is a temporary fix for those who need it.

[conor-machugh]

Tried @rodgerramjet26 suggestion, this also worked for me.

[sheagcraig]

@rodgerramjet26 thanks for looking at this!

Let me just confirm; so AutoPkg with a level-4 verbosity does show passwords? It would be easy to just replace passwords with 10 * characters or something too, but if the AutoPkg example is already set that you can see passwords with max verbosity, let's fix that up.

[grahampugh]

This behaviour was removed with the revert to using requests in v1.0.2b2.