balena-io
Exposed Sentry.io authentication details in URI
Thanks for reporting it @gitty8. 👍 I think you mean the sentry.io URL in this line, right?
For context (for anyone else reading this issue), we use Sentry.io to automatically / remotely report uncaught errors (bugs) in the CLI. The username and password are not the CLI user's, but rather auth tokens generated to authenticate the balena CLI Sentry account/project. We should still try avoid exposing it, nonetheless.
I suppose we could move the tokens (username and password) from the Sentry URL to HTTP headers, as described in the Sentry Authentication docs. As for where to store the tokens, storing in the source code also sounds less than ideal (especially in an open-source project). Perhaps we could fetch the tokens from a balena endpoint, which in turn could be linked to balena user authentication. (The latter would not work with openBalena, though, which allows the balena CLI to be used without a balenaCloud account.)
I have taken the liberty of editing the issue title. The original title would give the impression that it is the CLI user's username and password that are exposed, which might cause some "panic". I don't mean to diminish the importance of the issue, just to more accurately represent its meaning.
Thanks again for reporting it. 👍
@pdcastro
If you use this notation:
balena login --credentials --email [email protected] --password secret
it actually sends your email and secret! So this issue should be prioritized I think.
Hi @ahmetuludag , Can you provide more information about the request that you are seeing being sent?
Hi @thgreasi
I've traced balena-cli network usage using mitmproxy and here's what I found:
It's sending sentry.io usage details and if you login by parameters like this:
balena login --credentials --email [email protected] --password s3cR3T
It's sending your email and password in JSON payload!