Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"minikube logs" exposes secrets in env #13527

Closed
alexec opened this issue Jan 31, 2022 · 2 comments · Fixed by #13877
Closed

"minikube logs" exposes secrets in env #13527

alexec opened this issue Jan 31, 2022 · 2 comments · Fixed by #13877
Assignees
@spowelljr
Labels
kind/security security issues priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
1.26.0

Comments

@alexec
Copy link

alexec commented Jan 31, 2022

What Happened?

Hi,

The "minikube logs" command exposes secrets if they exist in your terminal environment. That is common of course. The minikube repository requests the logs to be pasted into issues. As a result I pasted by secrets into a Github Issue. Luckily, Github spotted them and notified me. I then had to revoke and delete tokens in 3 different systems, then the recent usage tokens to see if they’d be used, and then finally report this to my team.

This could have been a disaster.

It is common, even conventional, for secrets to appear in the env, so it not reasonable to say this is a user error.

In the short term, minikube repo issue template could warn users that they maybe pasting secrets.

In the medium term, “minikube logs” could consider either not printing env var, or redacting them.

Thank you,

Alex

Attach the log file

N/A

Operating System

No response

Driver

No response
@RA489
Copy link

RA489 commented Feb 8, 2022

/kind security

@k8s-ci-robot k8s-ci-robot added the kind/security security issues label Feb 8, 2022
@spowelljr
Copy link
Member

spowelljr commented Feb 16, 2022
edited
Loading

Hi @alexec, thanks for bringing this to our attention. I tried reproducing this but wasn't able to, could you tell me where in the logs the envs were output, also what driver were you using? As maybe the specific driver is outputting them.

I did

export CAT123=test
minikube start --driver=docker // and --driver=kvm2
minikube logs --file=logs.txt

Didn't find CAT123 in any of the logs.

Edit: I found the HyperKit driver is outputting all the envs in the terminal.

@spowelljr spowelljr added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/needs-information Indicates an issue needs more information in order to work on it. and removed triage/needs-information Indicates an issue needs more information in order to work on it. labels Feb 16, 2022
@spowelljr spowelljr self-assigned this Mar 29, 2022
@spowelljr spowelljr added this to the 1.26.0 milestone Mar 29, 2022
@spowelljr spowelljr mentioned this issue Mar 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spowelljr spowelljr

Labels
kind/security security issues priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
1.26.0
Development

Successfully merging a pull request may close this issue.

Don't write logs that contain environment variables spowelljr/minikube
4 participants
@alexec @k8s-ci-robot @RA489 @spowelljr