search

pspete / psPAS

PowerShell module for CyberArk Privileged Access Security REST API
https://pspas.pspete.dev
MIT License
295 stars 92 forks source link

Invoke-PASRestMethod prints credentials #131

Closed karrth closed 5 years ago

karrth commented 5 years ago

Expected Behaviour

Do not write out a password to a stream

Current Behaviour

The password is printed out in the debug stream. This can result in the password being written to file if the stream is being logged

Possible Solution

Remove write-debug for REST parameters

Steps to Reproduce (for bug reports)

1 . Set $DebugPreference = 'Continue'

2 . Run New-PASSession

Sample Output

[DEBUG] [URI, https://mycyberark/PasswordVault/api/Auth/LDAP/Logon] [Method, POST] [Body, { "username": "myusername", "type": "LDAP", "password": "mypassword" }] [SessionVariable, PASSession] [UseDefaultCredentials, False] [ContentType, application/json] [UseBasicParsing, True]

Context

Since this module is used to access/modify credential objects, I'd prefer to log all streams for auditing purposes. This write-debug results in the user's credentials being written to log

pspete commented 5 years ago

Hi @karrth -

Adding my comment from PR #132 here:

I agree with your point of not capturing the password in the debug stream, however, that debug output can be useful for troubleshooting the request payload of other module functions. Leaving Invoke-PASRestMethod as it is, would the same effect be achieved by adding -Debug:false to the invocation of Invoke-PASRestMethod in New-PASSession?

$PASSession = Invoke-PASRestMethod -Uri $URI -Method POST -Body $Body -SessionVariable $SessionVariable -UseDefaultCredentials:($UseDefaultCredentials.IsPresent) -Debug:false