JSSImporter shows passwords in terminal output
grahampugh opened this issue · 10 comments
This is new since curl started to be employed. We formerly didn't get credentials until -vvvv.
autopkg run -vvv jHelper\ GUI.download.recipe
{'Output': {'version': u'1.0'}}
{u'API_PASSWORD': u’PASSWORD,
u'API_USERNAME': u’USERNAME’,
'AUTOPKG_VERSION': u'1.0.4',
'CHECK_FILESIZE_ONLY': False,
'CURL_PATH': '/usr/bin/curl',
u'GIT_PATH': u'/Applications/Xcode.app/Contents/Developer/usr/bin/git',
u'JSS_REPOS': [{
name = “DP NAME“;
password = “Password;
}],
@macmule is right -vvv shows the AutoPkg passwords. But -v shouldn't show these values in the curl output.
I'm getting credentials in my output without any -v flags at all. Screenshot attached.
Same as above here.
Changed the title, since others report the password getting exposed without -v.
So just to add a bit to this, all verbose entries in the autopkg_results.plist return as 0. Even though the output is most certainly verbose.
E.g.
<key>verbose</key>
<integer>0</integer>
I changed the logging level in curl_adapter.py from DEBUG (logger.setLevel(logging.DEBUG)) to INFO and it fixed it for me ie. logger.setLevel(logging.INFO).
Not sure if this is the actual underlying issue or not, but it is a temporary fix for those who need it.
Tried @rodgerramjet26 suggestion, this also worked for me.
@rodgerramjet26 thanks for looking at this!
Let me just confirm; so AutoPkg with a level-4 verbosity does show passwords? It would be easy to just replace passwords with 10 * characters or something too, but if the AutoPkg example is already set that you can see passwords with max verbosity, let's fix that up.
This behaviour was removed with the revert to using requests in v1.0.2b2.