v3 apply manifest logs full buildpack url, even if it has token embedded

[JenGoldstrich]

This applies to most CAPI versions.

Reproduction Steps

If you use a buildpack via -b on cf push with git url the credentials form the git clone are logged in plain text in the app logs.

cf push test-app -b https://oauth2:TOKEN@git.mycompany.com/repo/test-buildpack.git

The full url will be logged in the app logs accessible via cf logs test-app

The code that logs this is here :

cloud_controller_ng/app/repositories/app_event_repository.rb

Line 48 in 440812e

VCAP::AppLogEmitter.emit(app.guid, "Applied manifest to app with guid #{app.guid} (#{manifest_request_yaml})")

Remediation

The CAPI team believes the only way to fix this would be to hide the entire buildpack URL from log output, since using a token in your buildpack URL in the manifest is not a usual use case, we recommend that if you need to use a token in your buildpack URL you follow the below steps.

cf create-buildpack test-buildpack https://oauth2:TOKEN@git.mycompany.com/repo/test-buildpack.git positional-number (such as 1)
cf push test-app -b test-buildpack

Currently the plan is to not fix this issue, if we decide to fix it in the future, we would most likely have to hide the entire buildpack url from the manifest as it would be tricky to programmatically determine if a token is in the URL

cc: @moleske @sweinstein22

[Gerg]

This class may be useful: https://github.com/cloudfoundry/cloud_controller_ng/blob/4a23a419862ef9b7272f411a4435e33fc7305f30/lib/cloud_controller/url_secret_obfuscator.rb

[JenGoldstrich]

@Gerg That would definitely solve for this specific case, plugging URI.parse('https://oauth2:TOKEN@git.mycompany.com/repo/test-buildpack.git') into irb and then checking the result.password, and .user returns TOKEN and oath2 respectively.

Does anyone know if other flavors of git would pass in a token differently than this, or would every clone link pass them in as oath2:token?