Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tiup leaks credential through environment printing #2462

Open
mzhang77 opened this issue Oct 18, 2024 · 1 comment
Open

tiup leaks credential through environment printing #2462

mzhang77 opened this issue Oct 18, 2024 · 1 comment
Labels
type/bug Categorizes issue as related to a bug.

Comments

@mzhang77
Copy link

mzhang77 commented Oct 18, 2024
edited
Loading

Bug Report

  1. What did you do?
    any tiup cluster command, e.g.
tiup cluster list

  1. What did you expect to see?
    The command should be safe to run

  2. What did you see instead?
    In ~/.tiup/logs/tiup-cluster-debug-2023-12-09-23-45-09.log
    and ~/.tiup/storage/cluster/audit/XXXX AWS secrets leaks through ENV var printing

 ... "AWS_SECRET_ACCESS_KEY=REDACTED", ...

Same information also leak into

  1. What version of TiUP are you using (tiup --version)?
tiup --version
1.16.0 tiup
Go Version: go1.21.11
Git Ref: v1.16.0
GitHash: e543145831d44a863366ff8c379d25980730bbd1
@mzhang77 mzhang77 added the type/bug Categorizes issue as related to a bug. label Oct 18, 2024
@mzhang77
Copy link
Author

I think code is here:

tiup/components/cluster/command/root.go

Line 278 in c1a14a5

zap.L().Debug("Environment variables", zap.Strings("env", os.Environ()))

and

tiup/components/dm/command/root.go

Line 235 in c1a14a5

zap.L().Debug("Environment variables", zap.Strings("env", os.Environ()))

There is no where in tiup that user can set log level. By default this debug information should not write to file.

@mzhang77 mzhang77 changed the title tiup leaks credential through environment printing in audit tiup leaks credential through environment printing Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug Categorizes issue as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mzhang77