From a51c654f7c57dbc56fef21f8bea4e358d64332fe Mon Sep 17 00:00:00 2001 From: Stefan Hundhammer Date: Wed, 13 Mar 2024 13:41:54 +0100 Subject: [PATCH 1/2] Guard secret attributes against leaking --- .../y2network/connection_config/wireless.rb | 12 ++++-- test/y2network/config_test.rb | 40 +++++++++++++++++++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/src/lib/y2network/connection_config/wireless.rb b/src/lib/y2network/connection_config/wireless.rb index 1c8396c4b6..5efddeb502 100644 --- a/src/lib/y2network/connection_config/wireless.rb +++ b/src/lib/y2network/connection_config/wireless.rb @@ -18,11 +18,14 @@ # find current contact information at www.suse.com. require "y2network/connection_config/base" +require "y2storage/secret_attributes" module Y2Network module ConnectionConfig # Configuration for wireless connections class Wireless < Base + include Y2Storage::SecretAttributes + # wireless options # # FIXME: Consider an enum @@ -34,13 +37,15 @@ class Wireless < Base attr_accessor :nwid # @return [Symbol] Authorization mode (:open, :shared, :psk, :eap) attr_accessor :auth_mode + # FIXME: Consider moving keys to different classes. # @return [String] WPA preshared key - attr_accessor :wpa_psk + secret_attr :wpa_psk # @return [Integer] attr_accessor :key_length + # @return [Array] WEP keys - attr_accessor :keys + secret_attr :keys # @return [Integer] default WEP key attr_accessor :default_key # @return [String] @@ -60,9 +65,10 @@ class Wireless < Base # FIXME: Consider an enum # @return [Integer] (0, 1, 2) attr_accessor :ap_scanmode + # TODO: unify psk and password and write correct one depending on mode # @return [String] - attr_accessor :wpa_password + secret_attr :wpa_password # @return [String] attr_accessor :wpa_identity # @return [String] initial identity used for creating tunnel diff --git a/test/y2network/config_test.rb b/test/y2network/config_test.rb index 9a30566a2b..c50fbbc92f 100644 --- a/test/y2network/config_test.rb +++ b/test/y2network/config_test.rb @@ -545,4 +545,44 @@ end end end + + context "secret attributes (passwords, keys)" do + let(:conn) do + Y2Network::ConnectionConfig::Wireless.new.tap do |c| + c.wpa_psk = "s3cr3t" + c.wpa_password = "s3cr3t" + end + end + + describe ".inspect" do + it "does not leak a password" do + expect(conn.inspect).to_not match(/s3cr3t/) + end + + it "contains instead of passwords" do + expect(conn.inspect).to match(//) + end + end + + describe ".to_s" do + it "does not leak a password" do + # it's usually something like + # "#" + # so there shouldn't be any attributes - just making sure + expect(conn.to_s).to_not match(/s3cr3t/) + end + end + + describe ".wpa_psk" do + it "returns the real password" do + expect(conn.wpa_psk).to eq("s3cr3t") + end + end + + describe ".wpa_psk.to_s" do + it "returns the real password" do + expect(conn.wpa_psk.to_s).to eq("s3cr3t") + end + end + end end From 4930328f344575acbcdae17e92dff12e669add13 Mon Sep 17 00:00:00 2001 From: Stefan Hundhammer Date: Wed, 13 Mar 2024 15:22:55 +0100 Subject: [PATCH 2/2] Version bump and change log --- package/yast2-network.changes | 6 ++++++ package/yast2-network.spec | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/package/yast2-network.changes b/package/yast2-network.changes index a4335f80ab..e4add53830 100644 --- a/package/yast2-network.changes +++ b/package/yast2-network.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Mar 13 14:20:25 UTC 2024 - Stefan Hundhammer + +- Guard secret attributes against leaking to the log (bsc#1221194) +- 4.2.111 + ------------------------------------------------------------------- Mon Jul 4 11:54:34 UTC 2022 - Knut Anderssen diff --git a/package/yast2-network.spec b/package/yast2-network.spec index 22121a78a7..5d84385748 100644 --- a/package/yast2-network.spec +++ b/package/yast2-network.spec @@ -17,7 +17,7 @@ Name: yast2-network -Version: 4.2.110 +Version: 4.2.111 Release: 0 Summary: YaST2 - Network Configuration License: GPL-2.0-only