Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9787

Unintentional secret reveal while installing modules


    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: PUP 4.10.12, PUP 5.5.14, PUP 6.4.2
    • Fix Version/s: PUP 6.10.1
    • Component/s: Modules
    • Template:
      PUP Bug Template
    • Acceptance Criteria:
      • Puppet should not reveal sensitive information while isntalling modules.
      • Unit tests are added that assure that masking is done
    • Team:
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      If the Puppet[:module_repository] URL includes credentials, then redact them when connecting to the forge.
    • QA Risk Assessment:
      Needs Assessment


      Puppet Version: any
      Puppet Server Version: any
      OS Name/Version: any

      Actual Behavior:

      Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect.

      Those repositories are:

      When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.:


      Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message:

      Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
      Notice: Downloading from https://jdoe:s3creT@pkg.acmecorp.com/repository/puppet ...

      Desired Behavior:

      Puppet should mask password if given, like this:

      Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
      Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...



          Issue Links



              • Assignee:
                jorie Jorie Tappa
                cardil Chris Suszynski
              • Votes:
                0 Vote for this issue
                3 Start watching this issue


                • Created:

                  Zendesk Support