Headscale logs bearer tokens

[apollo13]

Bug description

Looking at the headscale logs, it logs this at info level when accessing the HTTP api:

2023-03-11T21:13:56Z INF unary dur=0.815623 md={":authority":"/var/run/headscale.sock","authorization":"Bearer XXX.XXX","content-type":"application/grpc","grpcgateway-accept":"*/*","grpcgateway-authorization":"Bearer XXX.XXX","grpcgateway-user-agent":"python-httpx/0.23.3","user-agent":"grpc-go/1.51.0","x-forwarded-for":"xxxxx","x-forwarded-host":"xxxxxx"} method=ListApiKeys req={} service=headscale.v1.HeadscaleService

This includes the whole bearer token. It would be great if the credentials wouldn't get logged :)

[github-actions]

This issue is stale because it has been open for 180 days with no activity.

[apollo13]

/unstale

…

On Tue, Sep 26, 2023, at 03:44, github-actions[bot] wrote: This issue is stale because it has been open for 180 days with no activity. — Reply to this email directly, view it on GitHub <#1259 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAT5C5YVREVZA5XN5MXLJLX4IXQDANCNFSM6AAAAAAVXWLR2M>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[disconn3ct]

This is a security exposure, in security software. Is it on the radar for a fix?

[almereyda]

Would you like to contribute a PR which fixes the perceived regression? I think the maintainers accept contributions again.

The readme clearly states that this is a project for "self-hosters and hobbyists".

If you have specific security requirements, it's probably better to switch to the commercial Tailscale offer.

[disconn3ct]

Is that the official response from the project to this security report? I am more than willing to get it a CVE if that helps.

[almereyda]

This is not an official response, since I am not an official maintainer. This is just how I understand the situation personally.

[apollo13]

Hi @disconn3ct, also not a maintainer but please don't try to get a CVE. You are apparently operating under the assumption that a project has to live up to certain security standards. This is not necessarily the case (I have no idea what the security policy for headscale is) and no one forces you to use headscale. Threatening to issue a CVE will usually only have the effect of getting completely ignored.

If you want to invest your time productively, you could check if this issue is actually still an issue (I don't know I don't use headscale anymore) and if yes try to come up with a patch.

[disconn3ct]

also not a maintainer

and yet here you are, LARPing as one. Maybe you should let the actual maintainers have a chance to respond.

[disconn3ct]

@juanfont fyi https://www.cve.org/CVERecord?id=CVE-2023-47390 was assigned