Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trace logging is allowed in non-elevated session #3603

Closed
6 tasks done
gep13 opened this issue Jan 22, 2025 · 1 comment · Fixed by #3605
Closed
6 tasks done

Trace logging is allowed in non-elevated session #3603

gep13 opened this issue Jan 22, 2025 · 1 comment · Fixed by #3605
Assignees
@gep13
Labels
4 - Done Bug Security
Milestone
1.4.2

Comments

@gep13
Copy link
Member

gep13 commented Jan 22, 2025

Checklist

  • I confirm there are no unresolved issues reported on the Chocolatey Status page.
  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my problem.
  • I have verified this is not an issue for a specific package.
  • I have verified this issue is not security related.
  • I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Chocolatey CLI has a number of logging levels, including debug, verbose and trace. Each one of these levels increases the level of detail included in the output. trace in particular includes low level logging around outgoing requests to the configured sources. Based on conversations within the team, the decision has been taken to only allow trace logging when running in an elevated session.

What is Expected?

No sensitive information should be output to the console when using the --trace option, when not running in an elevated session.

How Did You Get This To Happen?

Run choco search --trace

System Details

  • Operating System: Windows 11
  • Windows PowerShell version: 5.1.26100.2161
  • Chocolatey CLI Version: 2.4.1
  • Chocolatey Licensed Extension version: 6.3.0
  • Chocolatey License type: Business
  • Terminal/Emulator: Windows Terminal

Installed Packages

N/A

Output Log

N/A

Additional Context

None
@gep13 gep13 added this to the 1.4.2 milestone Jan 22, 2025
@gep13 gep13 self-assigned this Jan 22, 2025
gep13 added a commit to gep13/choco that referenced this issue Jan 22, 2025
@gep13
(chocolatey#3603) Don't allow trace logging when no elevated
cf06740 
Prior to this change, trace level logging was available to everyone.
However, due to the sensitive nature of some of the output, the
decision has been taken to restrict trace logging to only elevated
sessions.

When an attempt is made to use trace logging in a non-elevated session,
a warning will be shown, and no trace logging will be shown.  In
addition, if the -r option is in play, the warning about no trace
logging will go to the log file, but won't be displayed.
This was referenced Jan 22, 2025
Merged
Merged
@gep13 gep13 linked a pull request Jan 22, 2025 that will close this issue
(#3603) Don't allow trace logging when not elevated #3605
Merged
10 tasks
@gep13
Copy link
Member Author

gep13 commented Jan 22, 2025

NOTE: This is a back-ported issue, for a change that is going out in 2.4.2 of Chocolatey CLI: #3604

corbob added a commit that referenced this issue Jan 22, 2025
@corbob
Merge pull request #3605 from gep13/issue-3603
d658139 
(#3603) Don't allow trace logging when no elevated
@corbob corbob closed this as completed Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gep13 gep13

Labels
4 - Done Bug Security
Projects
None yet
Milestone
1.4.2
Development

Successfully merging a pull request may close this issue.

(#3603) Don't allow trace logging when not elevated gep13/choco
2 participants
@gep13 @corbob