Conversation
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if err != nil { | ||
| return err | ||
| } | ||
| fmt.Printf("\nID: %s\nValues: %s\n", k, vv) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, the sensitive information (password) should be excluded from the logs or obfuscated before being logged. The Marshal method in MockCredential should be updated to ensure that sensitive data is not exposed. Additionally, the logging statement in keychain/cmd/main.go should be modified to avoid printing the password.
Steps to fix:
- Update the
Marshalmethod inkeychain/mocks/mock_credential.goto obfuscate the password (e.g., replace it with a placeholder like***). - Modify the logging statement in
keychain/cmd/main.goto exclude sensitive data or use the updatedMarshalmethod that obfuscates the password.
| @@ -40,3 +40,3 @@ | ||
| } | ||
| fmt.Printf("\nID: %s\nValues: %s\n", k, vv) | ||
| fmt.Printf("\nID: %s\nValues: %s\n", k, vv) // Password obfuscated in Marshal method | ||
| } |
| @@ -18,3 +18,3 @@ | ||
| func (m *MockCredential) Marshal() ([]byte, error) { | ||
| return []byte(m.Username + ":" + m.Password), nil | ||
| return []byte(m.Username + ":***"), nil // Obfuscate the password | ||
| } |
| if err != nil { | ||
| return err | ||
| } | ||
| fmt.Printf("Secret:\nID:%s\nValues:%s\n", id.String(), val) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to ensure that sensitive information (e.g., passwords) is not logged in clear text. Instead of logging the entire output of the Marshal method, we should log only non-sensitive information, such as the Username or a sanitized version of the data.
In this case, we will modify the fmt.Printf statement on line 86 in keychain/cmd/main.go to exclude the password from the logged output. Additionally, we will update the Marshal method in keychain/mocks/mock_credential.go to provide a sanitized version of the data for logging purposes.
| @@ -85,3 +85,3 @@ | ||
| } | ||
| fmt.Printf("Secret:\nID:%s\nValues:%s\n", id.String(), val) | ||
| fmt.Printf("Secret:\nID:%s\nValues:%s\n", id.String(), sanitizeSecret(val)) | ||
| return nil |
| @@ -31 +31,10 @@ | ||
| } | ||
|
|
||
| // sanitizeSecret redacts sensitive information (e.g., passwords) from the secret data. | ||
| func sanitizeSecret(data []byte) string { | ||
| parts := bytes.Split(data, []byte(":")) | ||
| if len(parts) != 2 { | ||
| return "Invalid secret format" | ||
| } | ||
| return string(parts[0]) + ":<redacted>" | ||
| } |
|
this is already supported in main. Will close this. |
1 participant
This is an experiment - it is a simple package that tests the
org.freedesktop.secretsAPI over DBUS. It tries to list and create collections.