| From a Slack convo with Henrik: https://puppetcommunity.slack.com/archives/C0W1X7ZAL/p1621341048001500
gabi Today at 3:30 PM
@helindbe or whoever may have more context: I was curious if https://tickets.puppetlabs.com/browse/PUP-11061 was an implementation oversight or intended behavior
helindbe 15 minutes ago
The only thing that shpuld be allowed is to know the base type of the value (e.g String), but not specifics of that steing, such as the lenght or characters in it. From that it follows that comparison should not be allowed. One reason is that equality check can fail and the error message may reveal the sensitive value. However, since unwrap is available, it isn’t really a hard security concern, but unwrap shifts the responsibility not to spill the secret.
Hope this explains why it works the way it does.
helindbe 11 minutes ago
So, I consider this intended behavior, but I don’t see a real problem if an equality check was to return true if sensitive values are equal and false for all other cases (including possible errors). Problem is, where do you stop, also support in selector and case and other comparisons… Probably best to keep it the way it is.
|
