Closed karrth closed 5 years ago
Hi @karrth -
Adding my comment from PR #132 here:
I agree with your point of not capturing the password in the debug stream, however, that debug output can be useful for troubleshooting the request payload of other module functions.
Leaving Invoke-PASRestMethod
as it is, would the same effect be achieved by adding -Debug:false
to the invocation of Invoke-PASRestMethod
in New-PASSession
?
$PASSession = Invoke-PASRestMethod -Uri $URI -Method POST -Body $Body -SessionVariable $SessionVariable -UseDefaultCredentials:($UseDefaultCredentials.IsPresent) -Debug:false
Expected Behaviour
Do not write out a password to a stream
Current Behaviour
The password is printed out in the debug stream. This can result in the password being written to file if the stream is being logged
Possible Solution
Remove write-debug for REST parameters
Steps to Reproduce (for bug reports)
1 . Set $DebugPreference = 'Continue'
2 . Run New-PASSession
Sample Output
[DEBUG] [URI, https://mycyberark/PasswordVault/api/Auth/LDAP/Logon] [Method, POST] [Body, { "username": "myusername", "type": "LDAP", "password": "mypassword" }] [SessionVariable, PASSession] [UseDefaultCredentials, False] [ContentType, application/json] [UseBasicParsing, True]
Context
Since this module is used to access/modify credential objects, I'd prefer to log all streams for auditing purposes. This write-debug results in the user's credentials being written to log