-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(toolkit): stop 'cdk doctor' from printing AWS_ variables #2357
Conversation
|
||
function anonymizeAwsVariable(name: string, value: string) { | ||
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); } | ||
if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No strong feelings, but I'd usually literally output <redacted>
for those instead of a string of *
s.
function anonymizeAwsVariable(name: string, value: string) { | ||
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); } | ||
if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); } | ||
if (name === 'AWS_SESSION_TOKEN') { return '*'.repeat(50); } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No strong feelings, but I'd usually literally output <redacted>
for those instead of a string of *
s.
@@ -68,3 +68,10 @@ function displayCdkEnvironmentVariables() { | |||
} | |||
return healthy; | |||
} | |||
|
|||
function anonymizeAwsVariable(name: string, value: string) { | |||
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here, I would put ####<redacted>
. I also don't know whether the "common" practice is to show few first or few last... Maybe should research some weak evidence of what others do (we don't want to cause leaking a head when other tools leak the tail - that'd be us giving out additional info)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm leaking the first 4 characters on purpose, because they tell us the type of access key used:
- AKIA for long-lived (user) keys.
- ASIA for short-lived (session, role) keys.
These are standardized and not part of the secret material.
Would be nice to have a test for this... |
Needs to be an integ test, so goes into a different package. |
Fixes #1931.
Pull Request Checklist
design
folderBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.