From: "Josef Holzmayr" <jester@theyoctojester.info>
To: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] report-error: Mask AWS credentials to avoid leaking them
Date: Tue, 13 Jul 2021 11:41:49 +0200 [thread overview]
Message-ID: <06461e08-cb92-c4f6-ef11-7bfae672cc14@theyoctojester.info> (raw)
In-Reply-To: <20210713092242.754717-1-dwrobel@ertelnet.rybnik.pl>
Howdy!
Am 13.07.2021 um 11:22 schrieb Damian Wrobel:
> From: Adam Romanek <romanek.adam@gmail.com>
>
> Removes potentially presonal information from error reports.
>
> Signed-off-by: Adam Romanek <romanek.adam@gmail.com>
> Signed-off-by: Damian Wrobel <dwrobel@ertelnet.rybnik.pl>
> ---
> meta/classes/report-error.bbclass | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
> index de48e4ff0f..c17e7e2851 100644
> --- a/meta/classes/report-error.bbclass
> +++ b/meta/classes/report-error.bbclass
> @@ -38,6 +38,15 @@ def get_conf_data(e, filename):
> jsonstring=jsonstring + line
> return jsonstring
>
> +def errorreport_maskvars(e, logdata):
> + origenv = e.data.getVar("BB_ORIGENV", False)
> + vars_to_mask = ("TOPDIR", "TMPDIR", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY")
> + for var_name in vars_to_mask:
> + var_value = e.data.getVar(var_name, True) or (origenv and origenv.getVar(var_name, True))
> + if var_value:
> + logdata = logdata.replace(var_value, var_name)
> + return logdata
> +
> python errorreport_handler () {
> import json
> import codecs
> @@ -82,11 +91,7 @@ python errorreport_handler () {
> try:
> with codecs.open(log, encoding='utf-8') as logFile:
> logdata = logFile.read()
> - # Replace host-specific paths so the logs are cleaner
> - for d in ("TOPDIR", "TMPDIR"):
> - s = e.data.getVar(d)
> - if s:
> - logdata = logdata.replace(s, d)
> + logdata = errorreport_maskvars(e, logdata)
> except:
> logdata = "Unable to read log file"
> else:
>
>
This sounds a bit like suggesting that we add a hardcoded magic list of
masks for possbible places for credentials, and I don't think this is a
good approach. If at all, then there should be a more generic way that
doesn't treat S3 as super special.
Greetz
>
>
>
prev parent reply other threads:[~2021-07-13 9:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-13 9:22 [PATCH] report-error: Mask AWS credentials to avoid leaking them Damian Wrobel
2021-07-13 9:41 ` Josef Holzmayr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06461e08-cb92-c4f6-ef11-7bfae672cc14@theyoctojester.info \
--to=jester@theyoctojester.info \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.