Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask username and password when a login exception is thrown #3354

Closed
spursbob opened this issue Jun 11, 2021 · 1 comment · Fixed by #3355
Closed

Mask username and password when a login exception is thrown #3354

spursbob opened this issue Jun 11, 2021 · 1 comment · Fixed by #3355
Labels
bug 🐛 CLI 💻 Related to the command-line interface, such as the cmd, store, etc. commands

Comments

@spursbob
Copy link

Is your feature request related to a problem? Please describe.
The username and password stored in /root/.codechecker.passwords.json were printed in the console output when an exception was thrown when running "CodeChecker cmd login".

[INFO 2021-06-09 18:43] - Checking local passwords or tokens in /root/.codechecker.passwords.json [INFO 2021-06-09 18:43] - Checking for local valid sessions. [INFO 2021-06-09 18:43] - Logging in using preconfigured credentials... [ERROR 2021-06-09 18:44] - Thrift invalid data error. [ERROR 2021-06-09 18:44] - performLogin [ERROR 2021-06-09 18:44] - ['Username:Password', 'ACTUAL_USERNAME:ACTUAL_PASSWORD'] [ERROR 2021-06-09 18:44] - {} [ERROR 2021-06-09 18:44] - Request failed. Traceback (most recent call last): File "/install/codechecker/build/CodeChecker/lib/python3/codechecker_client/thrift_call.py", line 45, in wrapper return func(*args, **kwargs) File "/install/codechecker/venv/lib/python3.8/site-packages/codechecker_api/Authentication_v6/codeCheckerAuthentication.py", line 207, in performLogin return self.recv_performLogin() File "/install/codechecker/venv/lib/python3.8/site-packages/codechecker_api/Authentication_v6/codeCheckerAuthentication.py", line 220, in recv_performLogin (fname, mtype, rseqid) = iprot.readMessageBegin() File "/install/codechecker/venv/lib/python3.8/site-packages/thrift/protocol/TJSONProtocol.py", line 417, in readMessageBegin self.readJSONArrayStart() File "/install/codechecker/venv/lib/python3.8/site-packages/thrift/protocol/TJSONProtocol.py", line 405, in readJSONArrayStart self.readJSONSyntaxChar(LBRACKET) File "/install/codechecker/venv/lib/python3.8/site-packages/thrift/protocol/TJSONProtocol.py", line 255, in readJSONSyntaxChar raise TProtocolException(TProtocolException.INVALID_DATA, thrift.protocol.TProtocol.TProtocolException: Unexpected character: b'<'

We have .codechecker.passwords.json stored in a secret file in Jenkins. When this error occurred the username and password were printed in the Jenkins console output for anyone to see.

Describe the solution you would like
If a login exception is thrown the username and password shouldn't be printed in the console output.
@csordasmarton csordasmarton mentioned this issue Jun 11, 2021
Merged
@csordasmarton csordasmarton added bug 🐛 CLI 💻 Related to the command-line interface, such as the cmd, store, etc. commands labels Jun 11, 2021
@csordasmarton
Copy link
Contributor

@spursbob Thank you for this bug report. Yes, this is a serious security leak. I created a patch (#3355) which will solve this problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 CLI 💻 Related to the command-line interface, such as the cmd, store, etc. commands
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[cli] Do not print sensitive information when exception happens csordasmarton/codechecker
2 participants
@csordasmarton @spursbob