Jira (PUP-9787) Unintentional secret reveal while installing modules

[Chris Suszynski (JIRA)]

Chris Suszynski created an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules Issue Type: Bug Affects Versions: PUP 4.10.0 Assignee: Unassigned Components: Modules Created: 2019/06/19 3:45 PM Priority: Minor Reporter: Chris Suszynski Puppet Version: any Puppet Server Version: any OS Name/Version: any Actual Behavior: Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect. Those repositories are: Artifactory (live) Nexus (emerging) (emerging) When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.: https://admin:s3c...@pkg.acmecorp.com/repository/puppet Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message: Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ... Notice: Downloading from https://jdoe:s3c...@pkg.acmecorp.com/repository/puppet ... Desired Behavior: Puppet should mask password if given, like this: Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ... Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...   Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Chris Suszynski (JIRA)]

Chris Suszynski updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Chris Suszynski Acceptance Criteria: * Puppet should not reveal sensitive information while isntalling modules. * Usit Unit tests are added that assure that marking masking is done

Add Comment

[Chris Suszynski (JIRA)]

Chris Suszynski updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Chris Suszynski Affects Version/s: PUP 4.10.0 Affects Version/s: PUP 4.10.12 Affects Version/s: PUP 5.5.14 Affects Version/s: PUP 6.4.2

Add Comment

[Chris Suszynski (JIRA)]

Chris Suszynski updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules Change By: Chris Suszynski

*Puppet Version:* any *Puppet Server Version:* any *OS Name/Version:* any *Actual Behavior:*

Puppet Forge is public, and downloading modules don't require authentication. However there are some repositories that can hold modules and require authentication to connect. Those repositories are:

* [Artifactory|https://www.jfrog.com/confluence/display/RTF/Puppet+Repositories] (live) * [Nexus (emerging) |https://github.com/wavesoftware/nexus-repository-puppet] (emerging)

When installing modules from those repositories user is forced to set his credentials in plain text in URI supported form, for ex.:

{noformat} https://admin:s3c...@pkg.acmecorp.com/repository/puppet{noformat}

Installing modules with similar module repository being set, reveals those credentials. In fact it's done each time a module is installed, with a message:

{noformat}

Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ... Notice: Downloading from https://jdoe:s3c...@pkg.acmecorp.com/repository/puppet ...

{noformat} *Desired Behavior:*

Puppet should mask password if given, like this:

{noformat}

Notice: Preparing to install into /home/jdoe/.puppetlabs/etc/code/modules ... Notice: Downloading from https://jdoe:***@pkg.acmecorp.com/repository/puppet ...

{noformat}

Add Comment

[Jorie Tappa (JIRA)]

Jorie Tappa updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Jorie Tappa Team: Coremunity

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Josh Cooper Sprint: Platform Core KANBAN

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper assigned an issue to Jorie Tappa

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Josh Cooper Assignee: Jorie Tappa

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Josh Cooper Fix Version/s: PUP 6.10.1

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-9787 Unintentional secret reveal while installing modules

Change By: Josh Cooper Release Notes Summary: If the Puppet[:module_repository] URL includes credentials, then redact them when connecting to the forge. Release Notes: Bug Fix

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-9787

Re: Unintentional secret reveal while installing modules Passed CI in 4a987afd88

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-9787

Re: Unintentional secret reveal while installing modules

Merged to master in https://github.com/puppetlabs/puppet/commit/6e681f529823166b30567d22bed3ee0279cf6daf

Add Comment

[Jean Bond (JIRA)]

Jean Bond commented on PUP-9787

Re: Unintentional secret reveal while installing modules

Jorie Tappa, is this fix in 6.10.1 only, not in 6.4.4 or 5.5.17?

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-9787

Re: Unintentional secret reveal while installing modules

Yep just 6.10.1

Add Comment

[Jean Bond (JIRA)]

Jean Bond commented on PUP-9787

Re: Unintentional secret reveal while installing modules

Thank you Josh Cooper!

Add Comment

[Jean Bond (JIRA)]

Jean Bond updated an issue

Puppet / PUP-9787

Unintentional secret reveal while installing modules

Change By: Jean Bond Labels: resolved-issue-added

Add Comment