python-openstackclient

Password used by plugin shows up in debug mode

Bug #1501598 reported by Lin Hua Cheng on 2015-10-01

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	Fix Released	High	Lin Hua Cheng	python-openstackclient 1.9.0 "1.9.0"

Bug Description

Steps to reproduce:
1. Run OSC in debug mode.

Expected result:
Password should not show up

Actual result:
Password shows up

Output from terminal running OSC command:
$ openstack account set --property test=me --debug
START with options: ['account', 'set', '--property', 'test=me', '--debug']
...
compute API version 2, cmd group openstack.compute.v2
...
command: account set -> openstackclient.object.v1.account.SetAccount
Auth plugin osc_password selected
Password:
auth_type: osc_password
Using auth plugin: osc_password
Using parameters {'username': 'admin', 'tenant_name': 'admin', 'project_name': 'admin', 'password': '<PASSWORD LOGGED!!!>', 'auth_url': 'http://10.0.2.15:5000/v2.0'}

See original description

Lin Hua Cheng (lin-hua-cheng) on 2015-10-01

description:

updated

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-10-01:

the code in question is here: https://github.com/openstack/python-openstackclient/blob/9c492b742d1128bfb8ac291889e1e5d6c9d25b88/openstackclient/common/clientmanager.py#L170

is there a standard for blocking out any field that contains the key 'password' or 'secret'? I feel like there are probably fields aside from password that should be blocked out

Steve Martinelli (stevemar) on 2015-10-07

Changed in python-openstackclient:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2015-10-07:

patch to mask the password Edit (2.0 KiB, text/plain)

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-10-07:

@lin, in addition to 'password', we should also check 'secret' and 'token', i'm thinking of --client-secret for the openID stuff, and the admin token

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2015-10-07:

mask the secure auth values Edit (2.0 KiB, text/plain)

@steve: good catch! updated the patch

Changed in python-openstackclient:
assignee:	nobody → Lin Hua Cheng (lin-hua-cheng)

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2015-10-09:

I've consulted the security team about the issue. Password leak for DEBUG level have never issued advisories and always classified as security hardening improvements instead.

similar to this issue in nova:
https://bugs.launchpad.net/nova/+bug/1492140

I'm going to open this as public security

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-09: Fix proposed to python-openstackclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/233271

Changed in python-openstackclient:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-14: Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/233271
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=f0a81c284d2f533e0fe8adc747c5bd0532a7684f
Submitter: Jenkins
Branch: master

commit f0a81c284d2f533e0fe8adc747c5bd0532a7684f
Author: lin-hua-cheng <email address hidden>
Date: Tue Oct 6 20:42:40 2015 -0700

Mask the sensitive values in debug log

Change-Id: I0eb11a648c3be21749690f079229c8e63a678e6c
Closes-Bug: #1501598

Changed in python-openstackclient:
status:	In Progress → Fix Committed

Dean Troyer (dtroyer) on 2015-10-15

Changed in python-openstackclient:
milestone:	none → next

Steve Martinelli (stevemar) on 2015-11-16

Changed in python-openstackclient:
milestone:	next → none

Davanum Srinivas (DIMS) (dims-v) on 2015-11-17

Changed in python-openstackclient:
milestone:	none → 1.9.0
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-06: Fix proposed to python-openstackclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/382698

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-14: Change abandoned on python-openstackclient (stable/liberty)

Change abandoned by Joshua Hesketh (<email address hidden>) on branch: stable/liberty
Review: https://review.openstack.org/382698
Reason: This branch (stable/liberty) is at End Of Life

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.