1366795 – Build Logs Proxy Usernames and Passwords that might be sensitive

Bug 1366795 - Build Logs Proxy Usernames and Passwords that might be sensitive

Summary: Build Logs Proxy Usernames and Passwords that might be sensitive

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	ImageStreams
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Ben Parees
QA Contact:	Wang Haoran
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1428476 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-12 20:43 UTC by Eric Rich
Modified:	2020-12-14 07:40 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Proxy values are logged during builds. Consequence: Proxy values that contain user credentials are exposed to anyone who can view build logs. Fix: Credentials that are part of proxy values(e.g. http://user:password@proxy.com) will be redacted from the proxy value being logged. Result: Proxy credentials will no longer be exposed in build logs.
Clone Of:
Environment:
Last Closed:	2017-08-10 05:15:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1716	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.6 RPM Release Advisory	2017-08-10 09:02:50 UTC

Description Eric Rich 2016-08-12 20:43:01 UTC

Description of problem:

The build log for the project contains the proxy username and password.  Some administrators may not want all of the users of the OpenShift system to have easy access to the proxy username and password. 

Version-Release number of selected component (if applicable): 3.2
How reproducible: 100% 

Steps to Reproduce:
1.set the proxy variables according to https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#advanced-install-configuring-global-proxy.  
2. I created a project then created a new application based on template. 
3. Review Build Logs 

Actual results:

I0811 20:55:36.204801       1 docker.go:599] Creating container with options {Name:"" Config:&{Hostname: Domainname: User: Memory:0 MemorySwap:0 MemoryReservation:0 KernelMemory:0 CPUShares:0 CPUSet: AttachStdin:false AttachStdout:true AttachStderr:false PortSpecs:[] ExposedPorts:map[] StopSignal: Tty:false OpenStdin:true StdinOnce:true Env:[OPENSHIFT_BUILD_NAME=nodejs-example-1 OPENSHIFT_BUILD_NAMESPACE=brrichin OPENSHIFT_BUILD_SOURCE=https://github.com/openshift/nodejs-ex.git NPM_MIRROR= HTTP_PROXY=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 HTTPS_PROXY=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 NO_PROXY=.cluster.local,example.com,lpv-webosesbx09.co.example.com http_proxy=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 https_proxy=http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080 no_proxy=.cluster.local,example.com,lpv-webosesbx09.co.example.com] Cmd:[/bin/sh -c tar -C /tmp -xf - && /usr/libexec/s2i/assemble] DNS:[] Image:registry.access.redhat.com/openshift3/nodejs-010-rhel7:latest Volumes:map[] VolumeDriver: VolumesFrom: WorkingDir: MacAddress: Entrypoint:[] NetworkDisabled:false SecurityOpts:[] OnBuild:[] Mounts:[] Labels:map[]} HostConfig:&{Binds:[] CapAdd:[] CapDrop:[KILL MKNOD SETGID SETUID SYS_CHROOT] GroupAdd:[] ContainerIDFile: LxcConf:[] Privileged:false PortBindings:map[] Links:[] PublishAllPorts:false DNS:[] DNSOptions:[] DNSSearch:[] ExtraHosts:[] VolumesFrom:[] NetworkMode:container:3c356149eefcdb2be6cd70fa5fb6ae218edcad354280b91eaff69f6c6bef1874 IpcMode: PidMode: UTSMode: RestartPolicy:{Name: MaximumRetryCount:0} Devices:[] LogConfig:{Type: Config:map[]} ReadonlyRootfs:false SecurityOpt:[] CgroupParent: Memory:92233720368547 MemorySwap:92233720368547 MemorySwappiness:0 OOMKillDisable:false CPUShares:2 CPUSet: CPUSetCPUs: CPUSetMEMs: CPUQuota:-1 CPUPeriod:100000 BlkioWeight:0 Ulimits:[] VolumeDriver: OomScoreAdj:0}} ...
I0811 20:55:36.514630       1 docker.go:622] Attaching to container "66d045be7eb34b5ac974fa28e7da241f425b0ff814ecd929374871209180381f" ...
I0811 20:55:36.514762       1 docker.go:631] Starting container "66d045be7eb34b5ac974fa28e7da241f425b0ff814ecd929374871209180381f" ...
---> Installing application source ...
---> Setting npm http proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm http proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm https proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Setting npm https proxy to http://SUPERSECRETUSER:SUPERSECRETPASSWORD@proxy.example.com:8080
---> Building your Node application from source

Expected results:

That the username and password be obfuscated. 

Additional info:

Comment 1 Ben Parees 2016-08-12 20:47:13 UTC

if you have access to the build, you have access to the proxy configuration, whether via logs or just looking at the build pod definition, it's not possible to hide that information.

Comment 5 Ben Parees 2017-03-03 14:44:42 UTC

*** Bug 1428476 has been marked as a duplicate of this bug. ***

Comment 14 Ben Parees 2017-04-12 19:08:21 UTC

changes to s2i are here:
https://github.com/openshift/source-to-image/pull/721

will need to bump into origin and probably make additional changes in origin to complete this.

Comment 15 Ben Parees 2017-04-13 02:55:27 UTC

PR for origin: https://github.com/openshift/origin/pull/13751

Comment 17 Dongbo Yan 2017-06-05 07:13:49 UTC

Verified
openshift v3.6.88
kubernetes v1.6.1+5115d708d7

# oc new-build openshift/nodejs:4\~https://github.com/openshift/nodejs-ex -e http_proxy\=http://user:passwd@172.30.207.77:3128 -e https_proxy\=http://user:passwd@172.30.207.77:3128 -e HTTP_PROXY\=http://user:passwd@172.30.207.77:3128 -e HTTPS_PROXY\=http://user:passwd@172.30.207.77:3128

# oc logs -f bc/nodejs-ex
Cloning "https://github.com/openshift/nodejs-ex" ...
	Commit:	3d44de3ba8fef0b2baca4ddd001c0db286ea4cd3 (Merge pull request #117 from openshift/revert-112-revert-111-nodejs6)
	Author:	Ben Parees <bparees.github.com>
	Date:	Tue May 23 15:54:29 2017 -0400
Using HTTP proxy http://redacted@172.30.207.77:3128 and HTTPS proxy http://redacted@172.30.207.77:3128 for script download

doesn't show user and password in build log, so move to verified

But like comment13 mentioned, should also update language images, otherwise it will still show proxy user and password

Comment 18 Dongbo Yan 2017-07-06 08:15:15 UTC

Hi, Honza
please check comment13

Comment 20 errata-xmlrpc 2017-08-10 05:15:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1716

Note You need to log in before you can comment on or make changes to this bug.