Skip to content

[SLES-16.0] Do not log the URL password in the "inst.install_url" boot parameter (bsc#1258701) #3214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lslezak merged 2 commits into from
Feb 25, 2026
Merged

[SLES-16.0] Do not log the URL password in the "inst.install_url" boot parameter (bsc#1258701) #3214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a4da23a
Do not log the URL password (bsc#1258701)
lslezak Feb 25, 2026
286ae00
Fix CI
lslezak Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/ci-service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ jobs:
distro: [ "tumbleweed" ]

container:
# FIXME: use some 16.0 based image (with Ruby 3.4, TW contains Ruby 4.0...)
image: registry.opensuse.org/yast/head/containers_${{matrix.distro}}/yast-ruby

steps:
Expand Down Expand Up @@ -104,7 +105,9 @@ jobs:
which

- name: Install RubyGems dependencies
run: bundle config set --local with 'development' && bundle install
# install gems not included in Ruby 4.0
run: bundle config set --local with 'development' && bundle install && bundle add ostruct &&
bundle add cgi && bundle add fiddle

- name: Check collecting translatable strings
run: |
Expand Down
17 changes: 17 additions & 0 deletions service/lib/agama/cmdline_args.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
# find current contact information at www.suse.com.

require "logger"
require "yast"

Yast.import "URL"

module Agama
# This class is responsible for reading Agama kernel cmdline options
Expand All @@ -37,6 +40,20 @@ def initialize(data = {})
@data = data
end

def to_s
data_log = data

# optimization, hide the password only if it could be there
if data && data["install_url"] && data["install_url"].include?("@")
data_log = data.clone
data_log["install_url"] = Yast::URL.HidePassword(data["install_url"])
Copy link
Copy Markdown
Contributor

@dgdavid dgdavid Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: I wonder why not call this directly without the include optimization that it is already done by Yast::URL.HidePassword. I guess to avoid the RegExp execution, but I'm not sure if it worth.

Also, checking the Yast::URL.HidePassword I have realize that now we have "FILTERED" in some places and "PASSWORD" in others. Would be nice to been able to pass the desired mask to Yast::URL.HidePassword as well.

Copy link
Copy Markdown
Contributor Author

@lslezak lslezak Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I noticed that different replacement. But as this code is for 16.0 only and not used in the future (for 16.1 it was rewritten to Rust) I'd not waste much time here. Just fix the problem in an easy way and be done with that.

Copy link
Copy Markdown
Contributor

@dgdavid dgdavid Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the info, much appreciated.. I didn't know these details and I didn't pay attention that was a PR against 16.0.

end

"#<#{self.class.name}:0x#{object_id.to_s(16).rjust(16, "0")} @data=#{data_log.inspect}>"
Copy link
Copy Markdown
Contributor

@dgdavid dgdavid Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious to know how we know that it is always #...0x

Copy link
Copy Markdown
Contributor Author

@lslezak lslezak Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 0x prefix means that the number is in hexadecimal format. To distinguish between 10 decimal and 10 hexa which in decimal is 16. With 0x10 it is clear what does it mean.

end

alias_method :inspect, :to_s

def self.read
read_from("/run/agama/cmdline.d/agama.conf")
end
Expand Down
5 changes: 4 additions & 1 deletion service/lib/agama/software/product_builder.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@
require "agama/cmdline_args"
require "agama/software/product"
require "logger"
require "yast"

Yast.import "URL"

module Agama
module Software
Expand Down Expand Up @@ -75,7 +78,7 @@ def initialize_product(id, data, attrs)
def set_repositories(product, data, cmdline_args)
install_url = cmdline_args.data["install_url"]
if install_url
@logger.info "agama.install_url is set to #{install_url}"
@logger.info "agama.install_url is set to #{Yast::URL.HidePassword(install_url)}"
product.repositories = install_url.split(",")
else
product.repositories = data[:repositories]
Expand Down
7 changes: 5 additions & 2 deletions service/lib/agama/software/repositories_manager.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@

require "agama/software/repository"
require "singleton"
require "yast"

Yast.import "URL"

module Agama
module Software
Expand Down Expand Up @@ -52,8 +55,8 @@ def reset
# @param priority [Integer] Repository priority, the lower number the higher (!)
# priority, the default libzypp priority is 99
def add(url, name: nil, repo_alias: "", autorefresh: true, priority: 99)
repositories << Repository.create(name: name || url, url: url, repo_alias: repo_alias,
autorefresh: autorefresh, priority: priority)
repositories << Repository.create(name: name || Yast::URL.HidePassword(url), url: url,
repo_alias: repo_alias, autorefresh: autorefresh, priority: priority)
end

# returns user repositories as it was previously specified
Expand Down
6 changes: 6 additions & 0 deletions service/package/rubygem-agama-yast.changes
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Tue Feb 24 16:59:38 UTC 2026 - Ladislav Slezák <lslezak@suse.com>

- Do not log the URL password in the "inst.install_url" boot
parameter (bsc#1258701)

-------------------------------------------------------------------
Fri Nov 7 15:14:51 UTC 2025 - Ancor Gonzalez Sosa <ancor@suse.com>

Expand Down
14 changes: 14 additions & 0 deletions service/test/agama/cmdline_args_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,18 @@
expect { described_class.read_from(broken_config) }.to_not raise_error
end
end

describe "#to_s" do
it "hides the password in the install_url" do
args = described_class.new({ "install_url" => "https://u:secret_password@example.com" })
expect(args.to_s).to_not include("secret_password")
end
end

describe "#inspect" do
it "hides the password in the install_url" do
args = described_class.new({ "install_url" => "https://u:secret_password@example.com" })
expect(args.inspect).to_not include("secret_password")
end
end
end
Loading