hashicorp/terraform-provider-http

secrets leaking on error

Opened this issue · 2 comments

johnypony3 commented

Hi!
The http provider is leaking secrets on error, relevant source here: if err != nil {
It would be ideal to have this dump controlled via the log level.

Terraform Version

  • 1.0.2
  • 1.0.3

Affected Resource(s)

Please list the resources as a list, for example:

  • http

Terraform Configuration Files

variable "super_sensitive_value" {
  type      = string
  sensitive = true
  default   = "apparently_not_sensitive_enough"
}

data "http" "use_vault_result_in_a_call" {
  url = var.super_sensitive_value
}

Debug Output

│ Error: Error making request: Get "apparently_not_sensitive_enough": unsupported protocol scheme ""
│
│   with data.http.use_vault_result_in_a_call,
│   on main.tf line 18, in data "http" "use_vault_result_in_a_call":
│   18: data "http" "use_vault_result_in_a_call" {

Expected Behavior

The variable super_sensitive_value is expected to be hidden from logs as its marked as sensitive.

Actual Behavior

The variable super_sensitive_value is leaked to the log.

Steps to Reproduce

  1. terraform apply

References

kmoe commented

Thanks for raising this, @johnypony3. Unfortunately the behaviour you see is expected at this point. Please see the documentation for Input Variables: https://www.terraform.io/docs/language/values/variables.html#cases-where-terraform-may-disclose-a-sensitive-variable

Providers cannot currently tell which variables are marked as sensitive in configuration and exclude them from error logging. The ability to represent this in the SDK is tracked in hashicorp/terraform-plugin-sdk#736.

While we could make the inclusion of the URL in the error message conditional on log level, this would mask the underlying issue, and could be confusing for users who expect URLs in error messages (see for example #55).

kubenstein commented

I'm experiencing a similar issue, but with just normal requests. I have to make an https GET call with a URL containing a secret token. When applying, Terraform will log a full URL, disclosing sensitive data.

data.http.example-request: Read complete after 1s [id=https://mydomain.com/api/update?token=sensitive_secret_token]