terraform-provider-http icon indicating copy to clipboard operation
terraform-provider-http copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

secrets leaking on error

Open johnypony3 opened this issue 3 years ago • 2 comments

Hi! The http provider is leaking secrets on error, relevant source here: if err != nil { It would be ideal to have this dump controlled via the log level.

Terraform Version

  • 1.0.2
  • 1.0.3

Affected Resource(s)

Please list the resources as a list, for example:

  • http

Terraform Configuration Files

variable "super_sensitive_value" {
  type      = string
  sensitive = true
  default   = "apparently_not_sensitive_enough"
}

data "http" "use_vault_result_in_a_call" {
  url = var.super_sensitive_value
}

Debug Output

│ Error: Error making request: Get "apparently_not_sensitive_enough": unsupported protocol scheme ""
│
│   with data.http.use_vault_result_in_a_call,
│   on main.tf line 18, in data "http" "use_vault_result_in_a_call":
│   18: data "http" "use_vault_result_in_a_call" {

Expected Behavior

The variable super_sensitive_value is expected to be hidden from logs as its marked as sensitive.

Actual Behavior

The variable super_sensitive_value is leaked to the log.

Steps to Reproduce

  1. terraform apply

References

  • https://github.com/hashicorp/terraform-provider-http/issues/34

johnypony3 avatar Sep 13 '21 15:09 johnypony3

Thanks for raising this, @johnypony3. Unfortunately the behaviour you see is expected at this point. Please see the documentation for Input Variables: https://www.terraform.io/docs/language/values/variables.html#cases-where-terraform-may-disclose-a-sensitive-variable

Providers cannot currently tell which variables are marked as sensitive in configuration and exclude them from error logging. The ability to represent this in the SDK is tracked in https://github.com/hashicorp/terraform-plugin-sdk/issues/736.

While we could make the inclusion of the URL in the error message conditional on log level, this would mask the underlying issue, and could be confusing for users who expect URLs in error messages (see for example https://github.com/hashicorp/terraform-provider-http/pull/55).

kmoe avatar Sep 27 '21 17:09 kmoe

I'm experiencing a similar issue, but with just normal requests. I have to make an https GET call with a URL containing a secret token. When applying, Terraform will log a full URL, disclosing sensitive data.

data.http.example-request: Read complete after 1s [id=https://mydomain.com/api/update?token=sensitive_secret_token]

kubenstein avatar Feb 26 '24 02:02 kubenstein