[PUP-9787] Unintentional secret reveal while installing modules Created: 2019/06/19  Updated: 2019/10/10  Resolved: 2019/10/04

Status: Resolved
Project: Puppet
Component/s: Modules
Affects Version/s: PUP 4.10.12, PUP 5.5.14, PUP 6.4.2
Fix Version/s: PUP 6.10.1

Type: Bug Priority: Minor
Reporter: Chris Suszynski Assignee: Jorie Tappa
Resolution: Fixed Votes: 0
Labels: resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template: PUP Bug Template
Acceptance Criteria:
  • Puppet should not reveal sensitive information while isntalling modules.
  • Unit tests are added that assure that masking is done
Team: Coremunity
Sprint: Platform Core KANBAN
Method Found: Needs Assessment
Release Notes: Bug Fix
Release Notes Summary: If the Puppet[:module_repository] URL includes credentials, then redact them when connecting to the forge.
QA Risk Assessment: Needs Assessment


Puppet Version: any
Puppet Server Version: any
OS Name/Version: any

Actual Behavior:

Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect.

Those repositories are:

When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.:


Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message:

Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
Notice: Downloading from https://jdoe:s3creT@pkg.acmecorp.com/repository/puppet ...

Desired Behavior:

Puppet should mask password if given, like this:

Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ...
Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...


Comment by Josh Cooper [ 2019/10/04 ]

Merged to master in https://github.com/puppetlabs/puppet/commit/6e681f529823166b30567d22bed3ee0279cf6daf

Comment by Josh Cooper [ 2019/10/04 ]

Passed CI in 4a987afd88

Comment by Jean Bond [ 2019/10/09 ]

Jorie Tappa, is this fix in 6.10.1 only, not in 6.4.4 or 5.5.17?

Comment by Josh Cooper [ 2019/10/09 ]

Yep just 6.10.1

Comment by Jean Bond [ 2019/10/10 ]

Thank you Josh Cooper!

Generated at Sat Aug 08 08:47:36 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.