Security: stop Exec[bucket-create-*] leaking the couchbase password in plaintext#57
Open
kochj23 wants to merge 1 commit into
Open
Security: stop Exec[bucket-create-*] leaking the couchbase password in plaintext#57kochj23 wants to merge 1 commit into
kochj23 wants to merge 1 commit into
Conversation
Closes justicel#42. couchbase::bucket interpolated the cluster and bucket passwords directly into the Exec's `command` and `unless` strings. Puppet logs the literal command attribute whenever an Exec fails ("change from notrun ... failed: <command> returned 1"), and tagmail e-mails that failure report, so the password was exposed in plaintext on every failed run -- regardless of the logoutput setting (the leak is the command line, not the command output). Fix: export the passwords through the Exec environment (CB_PASSWORD / CB_BUCKET_PASSWORD) and reference them as shell variables in the command, so the secret never appears in any string Puppet logs. The Exec now uses `provider => shell` (needed for variable expansion) and `logoutput => on_failure`. Adds spec/defines/bucket_spec.rb asserting the passwords never appear in the command/unless strings and are only carried in the environment. Test categories covered: Unit, Integration, Functional, Security, Edge-case, Regression, and a Retry placeholder (N/A -- idempotent Exec). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #42.
couchbase::bucketinterpolates the cluster password (and, for couchbase-type buckets, the bucket password) directly into thecommandandunlessstrings ofExec[bucket-create-*]:Puppet logs the literal command attribute whenever an Exec fails (
change from notrun ... failed: <command> returned 1), and if the node uses tagmail that failure report is e-mailed out. As reported in #42, this exposes the couchbase password in plaintext on every failed run. Note this happens regardless oflogoutput, because the leak is the command line itself, not the command's stdout/stderr.Fix
Export the passwords through the Exec's
environment(CB_PASSWORD/CB_BUCKET_PASSWORD) and reference them as shell variables in the command, so the secret never appears in any string Puppet logs:The bucket password is only exported when one is actually configured.
Security impact
Eliminates plaintext disclosure of the couchbase cluster/bucket passwords in Puppet run reports and tagmail e-mails. Environment variables are not printed in Puppet's failure messages, so the credential stays out of logs.
Tests
Adds
spec/defines/bucket_spec.rb. Categories covered:provider => shell,logoutput => on_failure.Class[couchbase::config].CB_PASSWORDexported, no--bucket-password).commandandunless, are referenced via$CB_PASSWORD/$CB_BUCKET_PASSWORD, and are carried only inenvironment.unless); placeholder kept for parity.Locally
bundle exec rspec spec/defines/bucket_spec.rbis green: 285 examples, 0 failures (Puppet 4.10, stdlib 4.25.1, across all supported OSes).🤖 Generated with Claude Code