bitwarden
C# library outputs secret information to the ASP.NET Kestrel log file
Steps To Reproduce
I'm using BWS to store database connections strings for an ASP.NET MVC application. In a simple example, this can be done like so:
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
if (!optionsBuilder.IsConfigured)
{
var accessToken = Environment.GetEnvironmentVariable("MY_TOKEN")!;
var secretId = Guid.Parse(Environment.GetEnvironmentVariable("MY_SECRET")!)!;
var bitwardenClient = new BitwardenClient();
bitwardenClient.AccessTokenLogin(accessToken);
var secretResponse = bitwardenClient.Secrets.Get(secretId);
string _connectionString = secretResponse.Value;
optionsBuilder.UseMySQL(_connectionString);
}
}
At runtime, BWS is logging the secret data to the Kestrel log:
2024-06-18 09:41:20 {"accessTokenLogin":{"accessToken":"REDACTED"}} 2024-06-18 09:41:20 {"secrets":{"get":{"id":"REDACTED"}}}
Expected Result
That secret information would not be logged
Actual Result
Secret information is logged
Screenshots or Videos
No response
Additional Context
.NET 8
Operating System
Windows, Linux
Operating System Version
Windows 11, Linux Docker containers
Build Version
0.0.1-alpha
Issue Tracking Info
- [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
Hey @dmtooke-imm, thanks for reporting this. We have verified this logging is no longer happening on the latest builds of the SDK. We will need to update our C# NuGet package though 🙂
I'll come back and update this thread once this happens.
Great, thanks. It's nice library and I hope it becomes fully supported and more widely advertised soon.
@halfelven thanks for your patience. Our team has released a new NuGet package for the 1.0 version: https://www.nuget.org/packages/Bitwarden.Secrets.Sdk
If the problem still persists please re-open this or let us know 😃