Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(toolkit): stop 'cdk doctor' from printing AWS_ variables #2357

Merged
merged 2 commits into from
Apr 23, 2019
Merged

fix(toolkit): stop 'cdk doctor' from printing AWS_ variables #2357

merged 2 commits into from
Apr 23, 2019

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Apr 23, 2019

Fixes #1931.

Pull Request Checklist

  • Testing
    • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
    • CLI change?: coordinate update of integration tests with team
    • cdk-init template change?: coordinated update of integration tests with team
  • Docs
    • jsdocs: All public APIs documented
    • README: README and/or documentation topic updated
    • Design: For significant features, design document added to design folder
  • Title and Description
    • Change type: title prefixed with fix, feat and module name in parens, which will appear in changelog
    • Title: use lower-case and doesn't end with a period
    • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
    • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
  • Sensitive Modules (requires 2 PR approvers)
    • IAM Policy Document (in @aws-cdk/aws-iam)
    • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
    • Grant APIs (only if not based on official documentation with a reference)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

@rix0rrr rix0rrr requested a review from a team as a code owner April 23, 2019 09:33
RomainMuller
RomainMuller approved these changes Apr 23, 2019
View reviewed changes
packages/aws-cdk/lib/commands/doctor.ts Outdated

function anonymizeAwsVariable(name: string, value: string) {
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); }
if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No strong feelings, but I'd usually literally output <redacted> for those instead of a string of *s.

packages/aws-cdk/lib/commands/doctor.ts Outdated
function anonymizeAwsVariable(name: string, value: string) {
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); }
if (name === 'AWS_SECRET_ACCESS_KEY') { return '*'.repeat(value.length); }
if (name === 'AWS_SESSION_TOKEN') { return '*'.repeat(50); }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No strong feelings, but I'd usually literally output <redacted> for those instead of a string of *s.

packages/aws-cdk/lib/commands/doctor.ts Outdated
@@ -68,3 +68,10 @@ function displayCdkEnvironmentVariables() {
}
return healthy;
}

function anonymizeAwsVariable(name: string, value: string) {
if (name === 'AWS_ACCESS_KEY_ID') { return value.substr(0, 4) + '*'.repeat(Math.max(0, value.length - 4)); }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And here, I would put ####<redacted>. I also don't know whether the "common" practice is to show few first or few last... Maybe should research some weak evidence of what others do (we don't want to cause leaking a head when other tools leak the tail - that'd be us giving out additional info)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm leaking the first 4 characters on purpose, because they tell us the type of access key used:

  • AKIA for long-lived (user) keys.
  • ASIA for short-lived (session, role) keys.

These are standardized and not part of the secret material.

@RomainMuller
Copy link
Contributor

Would be nice to have a test for this...

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Apr 23, 2019

Would be nice to have a test for this...

Needs to be an integ test, so goes into a different package.

@rix0rrr rix0rrr merged commit 6209c6b into master Apr 23, 2019
@rix0rrr rix0rrr deleted the huijbers/doctor-no-secrets branch April 23, 2019 14:13
piradeepk pushed a commit to piradeepk/aws-cdk that referenced this pull request Apr 25, 2019
@rix0rrr @piradeepk
fix(toolkit): stop 'cdk doctor' from printing AWS_ variables (aws#2357)
361d6d0 
Fixes aws#1931.
SanderKnape pushed a commit to SanderKnape/aws-cdk that referenced this pull request May 14, 2019
@rix0rrr @SanderKnape
fix(toolkit): stop 'cdk doctor' from printing AWS_ variables (aws#2357)
d5ac172 
Fixes aws#1931.
@NGL321 NGL321 added the contribution/core This is a PR that came from AWS. label Sep 27, 2019
@shivlaks shivlaks mentioned this pull request Oct 7, 2019
Closed
This was referenced Dec 12, 2019
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RomainMuller RomainMuller RomainMuller approved these changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cdk doctor potentially exposes secrets
3 participants
@rix0rrr @RomainMuller @NGL321