Garden appears to be leaking VCAP_SERVICES credentials at Info log level

Question

Garden appears to be leaking VCAP_SERVICES credentials at Info log level

Closed this issue 9 years ago · 4 comments

https://github.com/cloudfoundry-incubator/garden/blob/master/server/request_handling.go#L879

I get log messages like the following:

{"timestamp":"1439843148.358169794","source":"garden-linux","message":"garden-linux.garden-server.run.spawned","log_level":1,"data":{"handle":"43037009-d8ec-4f73-bcc4-e24db14daf5c-02abe464-aa47-42e0-9796-48caf6cee31b-16197ae0-3109-42c3-58b7-130cb61a1a9f","id":1,"session":"4.121","spec":{"path":"/tmp/lifecycle/launcher","args":["app","",""],"env":["VCAP_APPLICATION={\"limits\":{\"mem\":512,\"disk\":20480,\"fds\":16384},\"application_id\":\"43037009-d8ec-4f73-bcc4-e24db14daf5c\",\"application_version\":\"02abe464-aa47-42e0-9796-48caf6cee31b\",\"application_name\":\"test-cf\",\"version\":\"02abe464-aa47-42e0-9796-48caf6cee31b\",\"name\":\"test-cf\",\"space_name\":\"mikeytown\",\"space_id\":\"2246fa97-f21b-4cc0-a107-613c55f63198\"}","VCAP_SERVICES={My Service credentials are in HERE}","MEMORY_LIMIT=512m","CF_STACK=cflinuxfs2","https_proxy=https://fwproxy.ldschurch.org:80","PORT=8080","CF_INSTANCE_IP=10.61.137.191","CF_INSTANCE_PORT=60000","CF_INSTANCE_ADDR=10.61.137.191:60000","CF_INSTANCE_PORTS=60000:8080"],"user":"vcap","rlimits":{"nofile":16384}}}}

Answer 1 · 2015-08-19T23:04:12.000Z

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/101641564.

Answer 2 · 2015-08-19T23:09:20.000Z

It also appears to sometimes log ssh private keys when sshing:

{"timestamp":"1440010390.752251863","source":"garden-linux","message":"garden-linux.garden-server.run.spawned","log_level":1,"data":{"handle":"3202d200-db1a-4dc3-803b-eff77a4dbc8c-b7441f98-58e2-4617-9675-e73feffe23c2-8e230a46-c414-4fb7-4a53-ac5dacd5183d","id":2,"session":"4.81705","spec":{"path":"/tmp/lifecycle/diego-sshd","args":["-address=0.0.0.0:2222","-hostKey=-----BEGIN RSA PRIVATE KEY-----
My private Key here
\n-----END RSA PRIVATE KEY-----\n","-authorizedKey=ssh-rsa {SOME OTHER KEY HERE}\n","-inheritDaemonEnv","-logLevel=fatal"],"env":["VCAP_APPLICATION={\"limits\":{\"mem\":1024,\"disk\":20480,\"fds\":16384},\"application_id\":\"3202d200-db1a-4dc3-803b-eff77a4dbc8c\",\"application_version\":\"b7441f98-58e2-4617-9675-e73feffe23c2\",\"application_name\":\"mltest\",\"version\":\"b7441f98-58e2-4617-9675-e73feffe23c2\",\"name\":\"mltest\",\"space_name\":\"marklogic-demo\",\"space_id\":\"c4188b8f-f799-4c1a-a565-704f91db455f\"}","VCAP_SERVICES={}","MEMORY_LIMIT=1024m","CF_STACK=cflinuxfs2","PORT=7070","CF_INSTANCE_IP=10.61.137.191","CF_INSTANCE_PORT=60016","CF_INSTANCE_ADDR=10.61.137.191:60016","CF_INSTANCE_PORTS=60016:7070,60017:2222"],"user":"dockeruser","rlimits":{"nofile":16384}}}}

Answer 3 · 2015-08-20T14:19:37.000Z

Thanks @youngm, we'll take a look at this and get something scheduled to fix the issue.

Answer 4 · 2015-09-03T13:48:16.000Z

This was fixed in d90a237 🍰 ✨