Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9787

Unintentional secret reveal while installing modules

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: PUP 4.10.12, PUP 5.5.14, PUP 6.4.2
    • Fix Version/s: PUP 6.10.1
    • Component/s: Modules
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      • Puppet should not reveal sensitive information while isntalling modules.
      • Unit tests are added that assure that masking is done
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      If the Puppet[:module_repository] URL includes credentials, then redact them when connecting to the forge.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Puppet Version: any
      Puppet Server Version: any
      OS Name/Version: any

      Actual Behavior:

      Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect.

      Those repositories are:

      When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.:

      https://admin:s3creT@pkg.acmecorp.com/repository/puppet

      Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message:

      Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
      Notice: Downloading from https://jdoe:s3creT@pkg.acmecorp.com/repository/puppet ...
      

      Desired Behavior:

      Puppet should mask password if given, like this:

      Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
      Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...
      

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jorie Jorie Tappa
                Reporter:
                cardil Chris Suszynski
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support