drone-cache icon indicating copy to clipboard operation
drone-cache copied to clipboard

Published 20 hours ago verified publisher icon meltwater

drone-cache expose some secrets in debug mode

Open hacktron95 opened this issue 4 years ago • 4 comments

Describe the bug Drone prints passed gcs.json-key secret in the logs when debug mode is enabled

To Reproduce Steps to reproduce the behavior:

  1. using current version v1.1.0, I passed gcs.json-key as organization secret and enable debug mode.

Expected behavior

on debug mode or not, drone should never print a secret, and you will see in the screenshot that drone actually does this, it's only the json-key is printed.

Screenshots image

Desktop (please complete the following information):

  • OS: x86_64 Linux 5.8.1-arch1-1

hacktron95 avatar Oct 09 '20 02:10 hacktron95

@hacktron95 Wow 😮 Thanks for catching this.

kakkoyun avatar Oct 12 '20 08:10 kakkoyun

@kakkoyun if you have a suggested approach, or you doubt something is causing this, please let me know, I might be able to solve it.

hacktron95 avatar Oct 13 '20 04:10 hacktron95

@hacktron95 If could find an obfuscator that would be the easiest. Otherwise, other than blindly logging data we should just manually select what we log.

kakkoyun avatar Oct 13 '20 16:10 kakkoyun

@hacktron95 Do you still see secrets printed in logs when debug mode is enabled?

apoorva-marisomaradhya avatar Aug 05 '21 21:08 apoorva-marisomaradhya