search

nextflow-io / nextflow

A DSL for data-driven computational pipelines
http://nextflow.io
Apache License 2.0
2.77k stars 630 forks source link

Mask Tower Access Token in logs #5183

Open jashapiro opened 3 months ago

jashapiro commented 3 months ago

Bug report

Expected behavior and actual behavior

The .nextflow.log file includes tower access tokens when requests are made to the wave container service. I would expect that value to be excluded or at least masked for security, as I try to avoid storing any tokens in plain text.

Steps to reproduce the problem

Run a nextflow workflow that includes wave.enabled = true and a container

Program output

An example partial line from the logfile showing where the token would be printed.

Jul-29 19:18:56.183 [Actor Thread 9] DEBUG io.seqera.wave.plugin.WaveClient - Wave request: https://wave.seqera.io/v1alpha2/container; attempt=1 - request: SubmitContainerTokenRequest(towerAccessToken:{MASKED_FOR_GITHUB}, towerRefreshToken:null, ...

I am not uploading the full .nextflow.log file because it contains the token.

Environment

Additional context

I was only looking at the logs because of some failures to pull wave containers, which I thought might have been because of bumping into API limits. I was not able to confirm that or if the failures might have been for other transient reasons.

pditommaso commented 3 months ago

Thanks for reporting! solved by https://github.com/seqeralabs/libseqera/commit/5b3d0667d774641768e2b6ed152b872dd521d804 and 96ec4ded