From 88c8676b18531724e78d0c55cbc8aa4151a0058a Mon Sep 17 00:00:00 2001 From: Matt Conway Date: Tue, 22 Jun 2021 20:27:06 -0400 Subject: [PATCH] fix masking of multiline secrets --- lib/kubetruth/template.rb | 18 +++++++++++------- spec/kubetruth/template_spec.rb | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/lib/kubetruth/template.rb b/lib/kubetruth/template.rb index 6578ec5..6a6136c 100644 --- a/lib/kubetruth/template.rb +++ b/lib/kubetruth/template.rb @@ -125,27 +125,31 @@ def initialize(template_source) def render(*args, **kwargs) begin + # TODO: fix secrets hardcoding here secrets = kwargs[:secrets] || {} + debug_kwargs = nil logger.debug do + # TODO: fix secrets hardcoding here + debug_kwargs ||= kwargs.merge(secrets: Hash[secrets.collect {|k, v| [k, ""] }]) msg = "Evaluating template:\n" @source.to_s.lines.collect {|l| msg << (INDENT * 2) << l } msg << "\n" << INDENT << "with context:\n" - kwargs.deep_stringify_keys.to_yaml.lines.collect {|l| msg << (INDENT * 2) << l } - - secrets.each {|k, v| msg.gsub!(v, "") } + debug_kwargs.deep_stringify_keys.to_yaml.lines.collect {|l| msg << (INDENT * 2) << l } msg end result = @liquid.render!(*args, kwargs.stringify_keys, strict_variables: true, strict_filters: true) logger.debug do + debug_kwargs ||= kwargs.merge(secrets: Hash[secrets.collect {|k, v| [k, ""] }]) # we only ever have to sub base64 encoded in this debug block both_secrets = secrets.merge(Hash[secrets.collect {|k, v| ["#{k}_base64", Base64.strict_encode64(v)]}]) msg = "Rendered template:\n" - result.lines.collect {|l| msg << (INDENT * 2) << l } - both_secrets.each {|k, v| msg.gsub!(v, "") } + r = result.dup + both_secrets.each {|k, v| r = r.gsub!(v, "") } + r.lines.collect {|l| msg << (INDENT * 2) << l } msg end @@ -157,9 +161,9 @@ def render(*args, **kwargs) msg << INDENT << "with error message:\n" << (INDENT * 2) << "#{e.message}" if e.is_a?(Liquid::UndefinedVariable) msg << "\n" << INDENT << "and variable context:\n" - kwargs.deep_stringify_keys.to_yaml.lines.collect {|l| msg << (INDENT * 2) << l } + debug_kwargs ||= kwargs.merge(secrets: Hash[secrets.collect {|k, v| [k, ""] }]) + debug_kwargs.deep_stringify_keys.to_yaml.lines.collect {|l| msg << (INDENT * 2) << l } end - secrets.each {|k, v| msg.gsub!(v, "") } raise Error, msg end end diff --git a/spec/kubetruth/template_spec.rb b/spec/kubetruth/template_spec.rb index 4c1c678..ac3fec2 100644 --- a/spec/kubetruth/template_spec.rb +++ b/spec/kubetruth/template_spec.rb @@ -292,9 +292,27 @@ module Kubetruth expect(error.message).to_not include(Base64.strict_encode64("sekret")) expect(error.message).to_not include("") end + end + it "masks multiline secrets in logs" do + secrets = {"foo" => "sekret\nsosekret"} + tmpl = described_class.new("secret: {{secrets.foo}} encoded: {{secrets.foo | encode64}}") + expect(tmpl.render(secrets: secrets)).to eq("secret: sekret\nsosekret encoded: #{Base64.strict_encode64("sekret\nsosekret")}") + expect(Logging.contents).to_not include("sekret") + expect(Logging.contents).to include("") + expect(Logging.contents).to_not include(Base64.strict_encode64("sekret\nsosekret")) + expect(Logging.contents).to include("") + + tmpl = described_class.new("{{fail}}") + expect { tmpl.render(secrets: secrets) }.to raise_error(Template::Error) do |error| + expect(error.message).to_not include("sekret") + expect(error.message).to include("") + expect(error.message).to_not include(Base64.strict_encode64("sekret\nsosekret")) + expect(error.message).to_not include("") + end end + end end