Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive variables are logged when escaped for powershell #12918

Open
zinkj opened this issue Apr 12, 2024 · 1 comment
Open

Sensitive variables are logged when escaped for powershell #12918

zinkj opened this issue Apr 12, 2024 · 1 comment
Labels
bug stage/needs-discussion stage/thinking Flagged for internal discussions about possible enhancements

Comments

@zinkj
Copy link

zinkj commented Apr 12, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

When sensitive variables contain characters that require escaping the logs will print that sensitive variable in its escaped form.

Reproduction Steps

Run example from powershell with PACKER_LOG=1:

$Env:PACKER_LOG=1;& .\packer.exe build -var password="abc`$123" password.pkr.hcl

Packer version

Packer v1.10.2

Simplified Packer Template

variable "password" {
  type    = string
  sensitive = true
}

source "file" "basic-example" {
  content =  "Lorem ipsum dolor sit amet"
  target =  "dummy_artifact"
}

build {
  sources = ["sources.file.basic-example"]

  provisioner "powershell" {
    environment_vars = [
      "PASSWORD=${var.password}",
    ]
    inline = ["echo foo"]
  }
}

Operating system and Environment details

Windows Server 2022

Log Fragments and crash.log files

2024/04/12 10:11:48 packer.exe plugin: Env var <sensitive> converted to abc`$123 after escaping chars special to PS

Full Logs
@zinkj zinkj added the bug label Apr 12, 2024
@lbajolet-hashicorp
Copy link
Contributor

Hi @zinkj,

Thanks for the report, looking at the problem however, I'm not sure we'll be able to offer a good solution with the current architecture regarding log filtering.

The way we do things re:sensitive variables is essentially by strings.Replace(sensitiveVariable, "<sensitive>", -1), which in effect if the variable gets escaped one way or another, won't match anymore.
We don't have agency on what gets printed by custom code, and it wouldn't be feasible to support every possible escaping scheme under the sun, therefore I'm not sure we have a good way to handle cases like these, at least without seriously rethinking/refactoring how this gets printed out.

I'll keep this issue open for now, but this seems like unlikely to happen in the short/medium term, sorry.

@lbajolet-hashicorp lbajolet-hashicorp added stage/thinking Flagged for internal discussions about possible enhancements stage/needs-discussion labels Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug stage/needs-discussion stage/thinking Flagged for internal discussions about possible enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zinkj @lbajolet-hashicorp