Skip to content

Redact SSH key from URL query parameter #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 3, 2022
Merged

Redact SSH key from URL query parameter #348

merged 2 commits into from
Jan 3, 2022

Conversation

macedogm
Copy link
Contributor

@macedogm macedogm commented Jan 3, 2022

This PR changes:

  1. Redact SSH key from URL query parameter when printing the URL after a download error happens.
  2. Changed redaction from xxxxx to redacted.
  3. Added two tests for the SSH key redaction.
  4. Added .gitignore.

Signed-off-by: Guilherme Macedo [email protected]

@hashicorp-cla
Copy link

hashicorp-cla commented Jan 3, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@schmichael
Copy link
Member

Thanks @macedogm!

Doesn't look like any HashiCorp tooling calls RedactURL directly, and we don't universally guarantee error string backward compatibility, so this seems safe to merge from a compatibility standpoint. Code looks good too!

@schmichael schmichael merged commit f5cbbb4 into hashicorp:main Jan 3, 2022
@macedogm macedogm deleted the sshkey-redact branch January 3, 2022 23:14
@macedogm
Copy link
Contributor Author

macedogm commented Jan 5, 2022

@schmichael Thanks a lot for the quick review. 👍🏻

@macedogm
Copy link
Contributor Author

Hi @schmichael, do you know when a new release will be made with this fix, please?

@schmichael
Copy link
Member

Done! Unsure when it will make it into downstream tools (Terraform, Nomad, etc) though.

@schmichael schmichael mentioned this pull request Jan 12, 2022
Merged
schmichael added a commit to hashicorp/nomad that referenced this pull request Jan 12, 2022
@schmichael
deps: update go-getter to v1.5.11
d65c6fc 
Pulls in hashicorp/go-getter#348

Fixes the possibility to log an sshkey if a specific error condition is
hit.
@GoVulnBot GoVulnBot mentioned this pull request Apr 27, 2022
Closed
@jba jba mentioned this pull request Apr 27, 2022
Open
@msmeissn
Copy link

Mitre assigned CVE-2022-29810 to this.

@picatz picatz mentioned this pull request May 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@macedogm @hashicorp-cla @schmichael @msmeissn