GitHub authentication headers can leak to logs #10139
Comments
Frassle
added
kind/bug
* Only log request/response headers at level 11 Fixes #10139 * Add to CHANGELOG
|
@Frassle I'm reopening the issue as I think we bring added clarity to the end-user. One thing that wasn't obvious and as it was reported by @contrarianchris is that setting the log level doesn't mean the user knows the implications of doing so. As a possible improvements, I think the CLI should display a clear (yellow colored?) warning when the log level is 10 or above, and clear state that such level may reveal sensitive information such as token and request headers. I also think we should update our documentation https://www.pulumi.com/docs/support/troubleshooting/#verbose-logging to reflect the changes as well. |
Yup Luke had also made this comment on the PR and I'd made a note to myself to change that today, but I do like the explicit warning at startup as well. I'll add that. |
What happened?
When installing a Pulumi plugin (custom provider) that's hosted on a private Github repository, a Github Token is required. That token is inserted as a header in the GET query for Github to authenticate the request.
However, if the CLI is set to verbosity level is set to 9 or above and the plugin hasn't been installed yet, then
plugins.gowill leak the Github token into the logs as part of logging the request headers.Steps to reproduce
Download a plugin from github with GITHUB_TOKEN set.
Expected Behavior
Log messages to not include the actual GITHUB_TOKEN.
Actual Behavior
Log message includes the token:
Versions used
3.35
Additional context
This was introduced in #9185.
We should either blind the Authorization before writing to logs, or move this to log level 11 which intentionally leaks credentials to help with debugging.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: