GitHub authentication headers can leak to logs #10139
Labels
area/logging
Logs and diagnostics
impact/security
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
Milestone
What happened?
When installing a Pulumi plugin (custom provider) that's hosted on a private Github repository, a Github Token is required. That token is inserted as a header in the GET query for Github to authenticate the request.
However, if the CLI is set to verbosity level is set to 9 or above and the plugin hasn't been installed yet, then
plugins.go
will leak the Github token into the logs as part of logging the request headers.Steps to reproduce
Download a plugin from github with GITHUB_TOKEN set.
Expected Behavior
Log messages to not include the actual GITHUB_TOKEN.
Actual Behavior
Log message includes the token:
Versions used
3.35
Additional context
This was introduced in #9185.
We should either blind the Authorization before writing to logs, or move this to log level 11 which intentionally leaks credentials to help with debugging.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: