Jira (PUP-10100) Exec resource should not leak sensitive commands when a relative path is given

18 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Oct 11, 2019, 12:57:04 PM10/11/19
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Bug PUP-10100
Exec resource should not leak sensitive commands when a relative path is given
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2019/10/11 9:56 AM
Priority: Normal Normal
Reporter: Josh Cooper

From: https://tickets.puppetlabs.com/browse/PUP-6494?focusedCommentId=692157&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-692157

exec { "echo_passphrase":
 
 command => Sensitive("echo \"${secretpw.unwrap}\""),
 
}


Error: Failed to apply catalog: Validation of Exec[populate_luksfile] failed: 'echo "supersecretpassword"' is not qualified and no path was specified. Please qualify the command or specify a path.

The issue is the error message includes the entire command to execute, instead of the first component of command which wasn't an absolute path.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Oct 11, 2019, 1:01:04 PM10/11/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10100
 
Re: Exec resource should not leak sensitive commands when a relative path is given

This is a simple fix:

$ bx puppet apply -e "exec { 'echo_passphrase':
 
 command => Sensitive('echo foo'),
 
}"
 
Notice: Compiled catalog for localhost in environment production in 0.09 seconds
 
Error: Validation of Exec[echo_passphrase] failed: 'echo' is not qualified and no path was specified. Please qualify the command or specify a path. (line: 1)


diff --git a/lib/puppet/provider/exec.rb b/lib/puppet/provider/exec.rb
 
index 778099c221..c89c3da5da 100644
 
--- a/lib/puppet/provider/exec.rb
 
+++ b/lib/puppet/provider/exec.rb
 
@@ -88,6 +88,6 @@ class Puppet::Provider::Exec < Puppet::Provider
 
   def validatecmd(command)
 
     exe = extractexe(command)
 
     # if we're not fully qualified, require a path
 
-    self.fail _("'%{command}' is not qualified and no path was specified. Please qualify the command or specify a path.") % { command: command } if !absolute_path?(exe) and resource[:path].nil?
 
+    self.fail _("'%{exe}' is not qualified and no path was specified. Please qualify the command or specify a path.") % { exe: exe } if !absolute_path?(exe) and resource[:path].nil?
 
   end
 
 end

Note the extractexe command knows how to extract quoted executables, as often occur on Windows.

Josh Cooper (JIRA)

unread,
Oct 14, 2019, 12:44:03 PM10/14/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Oct 14, 2019, 12:50:03 PM10/14/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
Oct 15, 2019, 1:01:03 PM10/15/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10100
 
Re: Exec resource should not leak sensitive commands when a relative path is given

Brian Conner, Kledson Basso, Adam Winberg since you commented on PUP-6494, what do you think about the above approach to redact sensitive commands? For example, given 

exec { "echo_passphrase":
 
 command => Sensitive("echo \"${secretpw.unwrap}\""),
 
}

will fail since echo is not fully qualified. Is it ok for the error message to specify only the executable in the error message? Or would you expect the entire command is redacted? Trying to balance security with user experience when debugging failed exec resources.

Adam Winberg (JIRA)

unread,
Oct 15, 2019, 2:08:03 PM10/15/19
to puppe...@googlegroups.com
Adam Winberg commented on Bug PUP-10100 

Is it ok for the error message to specify only the executable in the error message?

Yes, that would be fine for me.

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 1:44:03 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.11.0
Fix Version/s: PUP 6.4.5
Fix Version/s: PUP 5.5.18

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 1:48:02 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: Redact arguments passed to exec command, onlyif or unless parameters.
Release Notes: Bug Fix

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 1:59:03 AM10/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: Redact If an exec resource's command is not executable or cannot be resolved into a fully qualified path, only print the command, but not the potentially sensitive arguments passed to exec the command . Also redact the output of sensitive commands when the logoutput parameter is true , onlyif or unless parameters the parameter is on_failure (the default) and the command fails .

Josh Cooper (JIRA)

unread,
Oct 30, 2019, 2:00:12 AM10/30/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Nov 1, 2019, 12:23:03 PM11/1/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10100

Passed CI in 5a7e3ec4bf

Heston Hoffman (JIRA)

unread,
Nov 15, 2019, 7:33:03 PM11/15/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
 
Change By: Heston Hoffman
Labels: resolved-issue-added
Reply all
Reply to author
Forward
0 new messages