pam: Use safer handler for debugging bubble tea messages without disclosing information #876
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #876 +/- ##
==========================================
- Coverage 85.45% 85.41% -0.05%
==========================================
Files 80 80
Lines 5550 5588 +38
Branches 109 109
==========================================
+ Hits 4743 4773 +30
- Misses 752 756 +4
- Partials 55 59 +4 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
3v1n0
force-pushed
the
do-not-leak-newpassword
branch
from
777e433 to
deb0a9c
Compare
There was a problem hiding this comment.
Isn't this "too much effort" to format something that we are in control of? If this kind of changes are necessary, I think that maybe we should take another look at our debug messages and do a better job at avoiding leaking secrets in those messages rather than using this logic, no?
|
Maybe... But at this point the effort has been mostly done already 😅 and since this leak happened after that some time ago we saw others, I just preferred to have a central place to ensure we can protect info and format better others... Instead than checking continuously every single place were we debug |
3v1n0
force-pushed
the
do-not-leak-newpassword
branch
from
deb0a9c to
f391f85
Compare
We were debugging this message, but it contains information we may not want to disclose, neither in debug mode
3v1n0
force-pushed
the
do-not-leak-newpassword
branch
2 times, most recently
from
6bc876f to
55981c4
Compare
We need to log the tea messages but they may contain information that we don't want to disclose. So let's move the logging of the messages to a single place so that we can avoid specific logic in each Update handler, and be consistent to ensure that no message containing personal information won't be disclosed. At the same time such information is very useful when testing, so add different implementations that are used when building in debug mode or during tests. Add also unit tests to ensure that the messages rewrite works
Since we can have a safe renderer now, hide the data so that's clearer what message is being handled. At the same time, add a clear-text version for debugging and testing purposes
When logging make it clearer the stage we're going to
3v1n0
force-pushed
the
do-not-leak-newpassword
branch
from
55981c4 to
1a00d17
Compare
|
I agree that this feels like too much effort. On the other hand, we are logging bubbletea messages in a lot of places, and should make sure that we don't log any user secrets in any of those. In the diff, it looks like many of those places are after after a switch-case-statement which checks the message type, so maybe we don't need the check in most of those, and the number of places where we need to actually consider whether the message could contain a secret or not becomes manageable? I would trust @3v1n0's best judgement here, since he is the one who has to deal with this code base the most. As a side note, I hope that one day we can rewrite this code and get rid of bubbletea, which will hopefully reduce a lot of complexity and make it easier to figure out what's going on (including what we're actually printing with a debug statement). |
Sure, but I also wanted to improve the logging for other specific cases, and this code is basically a no-op when no debugging is enabled, so an extra-type check in such case isn't a big deal. Thus, from my POV this is the safest way we have at the moment to both achieve:
|
When debug mode is enabled, during ssh sessions we are disclosing some new-password information.
So avoid this to happen, but also take the occasion to make the messages logging safer and more helpful in debug and test builds so that we can show all the information when it's safe, while not expose anything relevant in release builds.
UDENG-6647