"minikube logs" exposes secrets in env #13527
Labels
kind/security
security issues
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
What Happened?
Hi,
The "minikube logs" command exposes secrets if they exist in your terminal environment. That is common of course. The minikube repository requests the logs to be pasted into issues. As a result I pasted by secrets into a Github Issue. Luckily, Github spotted them and notified me. I then had to revoke and delete tokens in 3 different systems, then the recent usage tokens to see if they’d be used, and then finally report this to my team.
This could have been a disaster.
It is common, even conventional, for secrets to appear in the env, so it not reasonable to say this is a user error.
In the short term, minikube repo issue template could warn users that they maybe pasting secrets.
In the medium term, “minikube logs” could consider either not printing env var, or redacting them.
Thank you,
Alex
Attach the log file
N/A
Operating System
No response
Driver
No response
The text was updated successfully, but these errors were encountered: