Redact SSH key from URL query parameter by macedogm · Pull Request #348 · hashicorp/go-getter

macedogm · 2022-01-03T10:28:53Z

This PR changes:

Redact SSH key from URL query parameter when printing the URL after a download error happens.
Changed redaction from xxxxx to redacted.
Added two tests for the SSH key redaction.
Added .gitignore.

Signed-off-by: Guilherme Macedo guilherme.macedo@suse.com

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

hashicorp-cla · 2022-01-03T10:28:56Z

All committers have signed the CLA.

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

schmichael · 2022-01-03T22:00:14Z

Thanks @macedogm!

Doesn't look like any HashiCorp tooling calls RedactURL directly, and we don't universally guarantee error string backward compatibility, so this seems safe to merge from a compatibility standpoint. Code looks good too!

macedogm · 2022-01-05T09:43:08Z

@schmichael Thanks a lot for the quick review. 👍🏻

macedogm · 2022-01-10T12:18:53Z

Hi @schmichael, do you know when a new release will be made with this fix, please?

schmichael · 2022-01-11T16:57:47Z

Done! Unsure when it will make it into downstream tools (Terraform, Nomad, etc) though.

Pulls in hashicorp/go-getter#348 Fixes the possibility to log an sshkey if a specific error condition is hit.

msmeissn · 2022-04-27T07:07:20Z

Mitre assigned CVE-2022-29810 to this.

Redact SSH key from URL query parameter

36b68b2

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

Redact SSH key from URL query parameter

17af21e

Signed-off-by: Guilherme Macedo <guilherme.macedo@suse.com>

schmichael merged commit f5cbbb4 into hashicorp:main Jan 3, 2022

macedogm deleted the sshkey-redact branch January 3, 2022 23:14

schmichael mentioned this pull request Jan 12, 2022

deps: update go-getter to v1.5.11 hashicorp/nomad#11833

Merged

schmichael added a commit to hashicorp/nomad that referenced this pull request Jan 12, 2022

deps: update go-getter to v1.5.11

d65c6fc

Pulls in hashicorp/go-getter#348 Fixes the possibility to log an sshkey if a specific error condition is hit.

GoVulnBot mentioned this pull request Apr 27, 2022

x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-29810 golang/vulndb#438

Closed

jba mentioned this pull request Apr 27, 2022

x/vulndb: potential Go vuln in github.com/hashicorp/go-getter: CVE-2022-29810 jba/nested-modules#303

Open

picatz mentioned this pull request May 9, 2022

Rebuttal for GHSA-27rq-4943-qcwp (CVE-2022-29810) github/advisory-database#281

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Redact SSH key from URL query parameter#348

Redact SSH key from URL query parameter#348
schmichael merged 2 commits into
hashicorp:mainfrom
macedogm:sshkey-redact

macedogm commented Jan 3, 2022

Uh oh!

hashicorp-cla commented Jan 3, 2022 •

edited

Loading

Uh oh!

schmichael commented Jan 3, 2022

Uh oh!

macedogm commented Jan 5, 2022

Uh oh!

macedogm commented Jan 10, 2022

Uh oh!

schmichael commented Jan 11, 2022

Uh oh!

msmeissn commented Apr 27, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

macedogm commented Jan 3, 2022

Uh oh!

hashicorp-cla commented Jan 3, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

schmichael commented Jan 3, 2022

Uh oh!

macedogm commented Jan 5, 2022

Uh oh!

macedogm commented Jan 10, 2022

Uh oh!

schmichael commented Jan 11, 2022

Uh oh!

msmeissn commented Apr 27, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

hashicorp-cla commented Jan 3, 2022 •

edited

Loading