nomad icon indicating copy to clipboard operation
nomad copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

sensitive fields of task `config` blocks exposed in plan output

Open EugenKon opened this issue 1 year ago • 1 comments

Nomad version

Nomad v1.7.5
BuildDate 2024-02-13T15:10:13Z
Revision 5f5d4646198d09b8f4f6cb90fb5d50b53fa328b8

Operating system and Environment details

Darwin Eugens-MacBook-Pro.local 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 x86_64 i386 Darwin

Issue

image

Reproduction steps

Do changes at task.config.auth.password option

Expected Result

Password should be masked

Actual Result

Password is not masked

EugenKon avatar Mar 06 '24 22:03 EugenKon

Noting that the jobspec section being discussed is here: https://developer.hashicorp.com/nomad/docs/drivers/docker#authentication

Fixing this is definitely a little tricky because the config block is owned by the task driver plugin, and the server treats it like an opaque blob of map[string]any. The server can't validate anything in there. That being said, it seems like we could probably have the server redact fields that we know about for internal task drivers, and maybe have it redact fields that "look" sensitive for external drivers?

tgross avatar Mar 14 '24 20:03 tgross