Authorization data leaked when TF_LOG=DEBUG

Question

Authorization data leaked when TF_LOG=DEBUG

mars opened this issue 4 years ago · 3 comments

Running Terraform in debug mode, authorization credentials are leaked to stdout.

TF_LOG=DEBUG terraform apply logs all HTTP requests to Heroku Platform API, including the secret Authorization header value.

Terraform Version

0.12.20

Heroku Provider Version

2.3.0

Affected Resource(s)

All resources.

Terraform Configuration Files

Any resources.

Debug Output

Authorization value is (redacted) in this sample:

2020-04-15T03:31:03.6173020Z 2020/04/15 03:31:03 GET /spaces/7e9db32b-7903-4fed-b163-d156febec18d HTTP/1.1
2020-04-15T03:31:03.6173817Z Host: api.heroku.com
2020-04-15T03:31:03.6174985Z User-Agent: heroku/v5 (linux; amd64) terraform-provider-heroku/test
2020-04-15T03:31:03.6177757Z Accept: application/vnd.heroku+json; version=3
2020-04-15T03:31:03.6178205Z Authorization: (redacted)
2020-04-15T03:31:03.6178733Z Request-Id: 7c6ca981-8ae4-4c72-bac3-4cd4eda4bae9
2020-04-15T03:31:03.6179060Z Accept-Encoding: gzip
2020-04-15T03:31:03.6179377Z 
2020-04-15T03:31:04.3317845Z 2020/04/15 03:31:04 HTTP/2.0 200 OK
2020-04-15T03:31:04.3319392Z Cache-Control: private, no-cache
2020-04-15T03:31:04.3320205Z Content-Expansion: region
2020-04-15T03:31:04.3321264Z Content-Type: application/json
2020-04-15T03:31:04.3321585Z Date: Wed, 15 Apr 2020 03:31:04 GMT
2020-04-15T03:31:04.3321773Z Etag: "1b680af0b3af0cfc0ebeac0518c2be85"
2020-04-15T03:31:04.3322213Z Last-Modified: Wed, 15 Apr 2020 03:31:04 GMT
2020-04-15T03:31:04.3322520Z Oauth-Scope: global
2020-04-15T03:31:04.3322853Z Oauth-Scope-Accepted: global
2020-04-15T03:31:04.3323178Z Ratelimit-Multiplier: 1
2020-04-15T03:31:04.3323505Z Ratelimit-Remaining: 4499
2020-04-15T03:31:04.3324172Z Request-Id: 82114d94-ea28-43f3-a4b9-ee58944e9462,7c6ca981-8ae4-4c72-bac3-4cd4eda4bae9,7f92e144-e302-3f50-411f-03d6653d5eaf,dd2b302f-45e9-9200-456f-6dabc1dd616f
2020-04-15T03:31:04.3324527Z Vary: Accept-Encoding
2020-04-15T03:31:04.3324941Z Via: 1.1 spaces-router (d1390724e8f6), 2.0 spaces-router (d1390724e8f6)
2020-04-15T03:31:04.3325294Z X-Content-Type-Options: nosniff
2020-04-15T03:31:04.3325608Z X-Runtime: 0.410245629
2020-04-15T03:31:04.3325697Z 
2020-04-15T03:31:04.3326907Z {"created_at":"2020-04-15T03:29:14Z","id":"7e9db32b-7903-4fed-b163-d156febec18d","name":"tfcidrtest-rrsqkk3u83","organization":{"id":"ed307167-e3fc-44a4-987b-33f6a1ef1138","name":"terraform-ci-test-team"},"team":{"id":"ed307167-e3fc-44a4-987b-33f6a1ef1138","name":"terraform-ci-test-team"},"region":{"id":"3544427c-5b3b-4e1e-b01a-b66362573b26","name":"virginia"},"shield":false,"state":"allocating","cidr":"10.0.0.0/16","data_cidr":"10.1.0.0/20","updated_at":"2020-04-15T03:31:04Z"}
2020-04-15T03:31:04.3327544Z 2020/04/15 03:31:04 [DEBUG] Still allocating: allocating (7e9db32b-7903-4fed-b163-d156febec18d)

Expected Behavior

The Heroku provider should redact its Authorization header in debug output, to avoid leaking credentials.

Actual Behavior

Authorization value is disclosed in logs.

Steps to Reproduce

TF_LOG=DEBUG terraform apply

Answer 1 · 2020-04-25T03:12:05.000Z

It looks like this behavior actually occurs in the heroku-go library, so, unfortunately, I'm not sure what can be done here until a patch is merged on heroku's end. Your best bet would probably be to encrypt any remote logs in the meantime.

Answer 2 · 2020-04-25T20:24:54.000Z

Thanks for investigating @keithmattix 😄

I have a plan to fix it in heroku-go, based on another internal provider we created last year. Will filter request headers to redact the Authorization value, in debug mode.

Answer 3 · 2020-04-26T01:10:49.000Z

@mars Oh whoops; didn't notice you're the author 😂 thanks for the update