fix(errorreport): redact installer secrets from crash reports#48
Conversation
|
hi @jigar-arc10 ⏺ Yes — PR #48 narrows the leak but does not fully close it. I traced the whole crash-report assembly. Here's what's actually in a report and what's covered. What the report attaches (and what #48 redacts) _bg_add_info + _bg_attach_hook (errorreport.py:162, :452) build a report from many fields. Only InstallerJournal is passed through redact_secrets (errorreport.py:171). Everything registered via
What's actually secret in those un-redacted files The homenode-token controller logs the key/install_id truncated, not in full:
Those records land in both the journal and the server log file. So:
What does NOT leak (good news)
Verdict The real residual exposure after #48 is the truncated (10-char) key/install_id prefix in the attached InstallerServerLog* files, plus the structural fact that redaction is applied to one field instead of the Two concrete fixes, in order of value:
#48 is still a net improvement and safe to merge — but if the ticket's goal is "secrets can't escape in a crash report," it isn't fully met yet. I'd raise fix #1 as a blocking comment since it's a one-line |
check_token_GET logged token[:10]/install_id[:10]. The server debug/info logs are attached to crash reports verbatim (InstallerServerLog*), and redact_secrets runs only on the journal and matches only the full on-disk value — so a logged prefix escaped unredacted. Log lengths instead; the secret never reaches any attachment. Refs AKHN-243
PR #47 (AKHN-240, 0600 perms) added test_homenode_token.py with TestTokenFilePerms; this branch added it with TestCheckTokenLogging. Combined both classes into one file with unified imports. homenode_token.py auto-merged (0600 _write_private + length-only logging coexist).
The installer journal is captured verbatim into crash reports via
recent_syslog(re.compile(".")), so the installation key / install_id / auth tokens could leak into a shared report. Addedredact_secrets()(value-based redaction of the on-disk key + install_id, plus targetedAuthorization: Bearer/DPoP/ JWT patterns) and wrapped the journal capture in it.Refs AKHN-243