do these error messages leak secrets?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
juju-core (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hello, a coworker pasted this error message:
https:/
which appears to include a hex-encoded version of user-data supplied to a cloud guest that failed to launch:
juju list-machines
Machine State DNS Inst id Series AZ Message
23 down 10.xx.xx.xx xxxxxxxx-
...
The UserData field is quite long and looks like it can contain plaintext passwords:
- https:/
- https:/
- https:/
- https:/
or access tokens:
- https:/
- https:/
Is this error message only available to people who could read the supplied user data through another mechanism?
Can the secrets be elided from the user data before it's printed to logs or output for user consumption?
Thanks
Hi, is anyone from the juju team looking into this?