Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets leaking on error #96

Open
johnypony3 opened this issue Sep 13, 2021 · 2 comments
Open

secrets leaking on error #96

johnypony3 opened this issue Sep 13, 2021 · 2 comments

Comments

@johnypony3
Copy link

johnypony3 commented Sep 13, 2021
edited

Hi!
The http provider is leaking secrets on error, relevant source here: if err != nil {
It would be ideal to have this dump controlled via the log level.

Terraform Version

  • 1.0.2
  • 1.0.3

Affected Resource(s)

Please list the resources as a list, for example:

  • http

Terraform Configuration Files

variable "super_sensitive_value" {
  type      = string
  sensitive = true
  default   = "apparently_not_sensitive_enough"
}

data "http" "use_vault_result_in_a_call" {
  url = var.super_sensitive_value
}

Debug Output

│ Error: Error making request: Get "apparently_not_sensitive_enough": unsupported protocol scheme ""
│
│   with data.http.use_vault_result_in_a_call,
│   on main.tf line 18, in data "http" "use_vault_result_in_a_call":
│   18: data "http" "use_vault_result_in_a_call" {

Expected Behavior

The variable super_sensitive_value is expected to be hidden from logs as its marked as sensitive.

Actual Behavior

The variable super_sensitive_value is leaked to the log.

Steps to Reproduce

  1. terraform apply

References
@kmoe
Copy link
Member

kmoe commented Sep 27, 2021

Thanks for raising this, @johnypony3. Unfortunately the behaviour you see is expected at this point. Please see the documentation for Input Variables: https://www.terraform.io/docs/language/values/variables.html#cases-where-terraform-may-disclose-a-sensitive-variable

Providers cannot currently tell which variables are marked as sensitive in configuration and exclude them from error logging. The ability to represent this in the SDK is tracked in hashicorp/terraform-plugin-sdk#736.

While we could make the inclusion of the URL in the error message conditional on log level, this would mask the underlying issue, and could be confusing for users who expect URLs in error messages (see for example #55).

@kmoe kmoe self-assigned this Oct 4, 2021
@bflad bflad removed their assignment Feb 15, 2023
@kubenstein
Copy link

kubenstein commented Feb 26, 2024
edited

I'm experiencing a similar issue, but with just normal requests. I have to make an https GET call with a URL containing a secret token. When applying, Terraform will log a full URL, disclosing sensitive data.

data.http.example-request: Read complete after 1s [id=https://mydomain.com/api/update?token=sensitive_secret_token]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kubenstein @bflad @johnypony3 @kmoe