Authorization data leaked when TF_LOG=DEBUG
mars opened this issue · 3 comments
Running Terraform in debug mode, authorization credentials are leaked to stdout.
TF_LOG=DEBUG terraform apply
logs all HTTP requests to Heroku Platform API, including the secret Authorization
header value.
Terraform Version
0.12.20
Heroku Provider Version
2.3.0
Affected Resource(s)
All resources.
Terraform Configuration Files
Any resources.
Debug Output
Authorization
value is (redacted)
in this sample:
2020-04-15T03:31:03.6173020Z 2020/04/15 03:31:03 GET /spaces/7e9db32b-7903-4fed-b163-d156febec18d HTTP/1.1
2020-04-15T03:31:03.6173817Z Host: api.heroku.com
2020-04-15T03:31:03.6174985Z User-Agent: heroku/v5 (linux; amd64) terraform-provider-heroku/test
2020-04-15T03:31:03.6177757Z Accept: application/vnd.heroku+json; version=3
2020-04-15T03:31:03.6178205Z Authorization: (redacted)
2020-04-15T03:31:03.6178733Z Request-Id: 7c6ca981-8ae4-4c72-bac3-4cd4eda4bae9
2020-04-15T03:31:03.6179060Z Accept-Encoding: gzip
2020-04-15T03:31:03.6179377Z
2020-04-15T03:31:04.3317845Z 2020/04/15 03:31:04 HTTP/2.0 200 OK
2020-04-15T03:31:04.3319392Z Cache-Control: private, no-cache
2020-04-15T03:31:04.3320205Z Content-Expansion: region
2020-04-15T03:31:04.3321264Z Content-Type: application/json
2020-04-15T03:31:04.3321585Z Date: Wed, 15 Apr 2020 03:31:04 GMT
2020-04-15T03:31:04.3321773Z Etag: "1b680af0b3af0cfc0ebeac0518c2be85"
2020-04-15T03:31:04.3322213Z Last-Modified: Wed, 15 Apr 2020 03:31:04 GMT
2020-04-15T03:31:04.3322520Z Oauth-Scope: global
2020-04-15T03:31:04.3322853Z Oauth-Scope-Accepted: global
2020-04-15T03:31:04.3323178Z Ratelimit-Multiplier: 1
2020-04-15T03:31:04.3323505Z Ratelimit-Remaining: 4499
2020-04-15T03:31:04.3324172Z Request-Id: 82114d94-ea28-43f3-a4b9-ee58944e9462,7c6ca981-8ae4-4c72-bac3-4cd4eda4bae9,7f92e144-e302-3f50-411f-03d6653d5eaf,dd2b302f-45e9-9200-456f-6dabc1dd616f
2020-04-15T03:31:04.3324527Z Vary: Accept-Encoding
2020-04-15T03:31:04.3324941Z Via: 1.1 spaces-router (d1390724e8f6), 2.0 spaces-router (d1390724e8f6)
2020-04-15T03:31:04.3325294Z X-Content-Type-Options: nosniff
2020-04-15T03:31:04.3325608Z X-Runtime: 0.410245629
2020-04-15T03:31:04.3325697Z
2020-04-15T03:31:04.3326907Z {"created_at":"2020-04-15T03:29:14Z","id":"7e9db32b-7903-4fed-b163-d156febec18d","name":"tfcidrtest-rrsqkk3u83","organization":{"id":"ed307167-e3fc-44a4-987b-33f6a1ef1138","name":"terraform-ci-test-team"},"team":{"id":"ed307167-e3fc-44a4-987b-33f6a1ef1138","name":"terraform-ci-test-team"},"region":{"id":"3544427c-5b3b-4e1e-b01a-b66362573b26","name":"virginia"},"shield":false,"state":"allocating","cidr":"10.0.0.0/16","data_cidr":"10.1.0.0/20","updated_at":"2020-04-15T03:31:04Z"}
2020-04-15T03:31:04.3327544Z 2020/04/15 03:31:04 [DEBUG] Still allocating: allocating (7e9db32b-7903-4fed-b163-d156febec18d)
Expected Behavior
The Heroku provider should redact its Authorization
header in debug output, to avoid leaking credentials.
Actual Behavior
Authorization
value is disclosed in logs.
Steps to Reproduce
TF_LOG=DEBUG terraform apply
It looks like this behavior actually occurs in the heroku-go
library, so, unfortunately, I'm not sure what can be done here until a patch is merged on heroku's end. Your best bet would probably be to encrypt any remote logs in the meantime.
Thanks for investigating @keithmattix 😄
I have a plan to fix it in heroku-go, based on another internal provider we created last year. Will filter request headers to redact the Authorization value, in debug mode.
@mars Oh whoops; didn't notice you're the author 😂 thanks for the update