Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CleartextLogging.qhelp needs more help #17574

Open
jsoref opened this issue Sep 25, 2024 · 1 comment
Open

CleartextLogging.qhelp needs more help #17574

jsoref opened this issue Sep 25, 2024 · 1 comment

Comments

@jsoref
Copy link
Contributor

jsoref commented Sep 25, 2024

Sensitive information that is logged unencrypted is accessible to an attacker
who gains access to the logs.

https://github.com/check-spelling-sandbox/argo-cd/security/code-scanning/7

cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go:49

			case strings.HasPrefix(os.Args[1], "Username"):
				fmt.Println(creds.Username)
			case strings.HasPrefix(os.Args[1], "Password"):
				fmt.Println(creds.Password)
 flows to a logging call.
CodeQL
			default:
				errors.CheckError(fmt.Errorf("unknown credential type '%s'", os.Args[1]))
			}

It's true, this code is printing a password, that's its job. it's a git credential.helper program.

This isn't "logging" a password, it's intentionally "printing" the password.

How does one tell CodeQL that this is intended behavior? Is the only real option to wait for #11427?

The help should say:

<p>
Be aware that the purpose of some programs is to print output.
Do not file tickets complaining about programs doing their jobs, it will not win you any warm fuzzies.
</p>
@jsoref
Copy link
Contributor Author

jsoref commented Sep 25, 2024

Maybe the advice should be:

If this is intentional, use fmt.Stringer.String

with an example of how to use it. (I can't tell if that works, but 7b903dd seems to hint that it might.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant