search

yast / yast-network

YaST module network
http://en.opensuse.org/Portal:YaST
GNU General Public License v2.0
14 stars 35 forks source link

PoC: Guard secret attributes against leaking to the logs V1.0 #1359

Closed shundhammer closed 7 months ago

shundhammer commented 7 months ago

Proof of Concept [superseded]

Problem

Secret attributes of the wifi connection object might leak to the logs, e.g. if methods like inspect() are used.

Fix

Use a custom inspect() method that clones the original object and sanitizes all fields that should not be logged verbatim (replacing each one with a special string <sanitized>).

Related PR

Superseded by PR #1360 which uses attr_secret from YaST2::SecretAttributes.

coveralls commented 7 months ago

Coverage Status

coverage: 80.8% (+0.02%) from 80.781% when pulling 32ea09d2a48e8b6d86accc802035f5026961240e on huha-fix-pw-leak into 2ac81c0d38ab61112f059e97af6b3a1dc60db03a on master.

joseivanlopez commented 7 months ago

I think SecretAttributes mixin could be useful here, see https://github.com/yast/yast-yast2/blob/master/library/general/src/lib/yast2/secret_attributes.rb.

shundhammer commented 7 months ago

Superseded by PR #1360 which uses secret_attr from YaST::SecretAttributes.