java-buildpack icon indicating copy to clipboard operation
java-buildpack copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

Dynatrace Integration Prints API Token Secret

Open TimGerlach opened this issue 3 years ago • 1 comments

Observed Issue

When using the Dynatrace integration of this buildpack it will log the complete API token into the staging logs of Cloud Foundry.

For example when running cf push with Dynatrace enabled it looks like the following:

-----> Downloading Dynatrace One Agent latest from https://<DYNATRACE_URL>/api/v1/deployment/installer/agent/unix/paas/latest?include=java&bitness=64&Api-Token=dt0c01.NDL63DNEONLLGXTYFDMZ4J47.C5YSHCIF22EWGTVZ2V7PLTZTR4XI6GSWEF4AARMFXLMKOOJUJB6QTTDXLY3J4QS2 (found in cache)

Expected Behaviour

According to the Dynatrace API token format specification the public portion of the token can be treated like a public secret key. This allows for identifying which token was used for staging the app. The secret portion of the token, however, should not be logged to avoid that it shows up in CI/CD pipelines, for example.

Therefore, a better way of logging the API token would be like so:

dt0c01.NDL63DNEONLLGXTYFDMZ4J47.<masked>

TimGerlach avatar Sep 15 '22 16:09 TimGerlach

The integration uses the download function from the Buildpack-internal base component which prints out the whole Url. We are currently evaluating the option to adapt the sanitizer to prevent the logging of the secret portion of the key.

rbamberger avatar Sep 30 '22 12:09 rbamberger