Secrets may be shown in logs when an unhandled exception is triggered, because typer framework is logging locals of each function.
This may uncover secrets if Cachi2 is used in CI/build pipelines as it's the main use case.
2024-11-13 17:43:57,481 ERROR RuntimeError: Package parent module was not found
╭───────────────────── Traceback (most recent call last) ──────────────────────╮
│ /venv/lib64/python3.9/site-packages/cachi2/interface/cli.py:65 in │
│ cmd_with_error_handling │
│ │
│ 62 │ @functools.wraps(cmd) │
│ 63 │ def cmd_with_error_handling(*args: tuple[Any, ...], **kwargs: dict │
│ 64 │ │ try: │
│ ❱ 65 │ │ │ cmd(*args, **kwargs) │
│ 66 │ │ except Cachi2Error as e: │
│ 67 │ │ │ _bail_out_with_error(e) │
│ 68 │ │ except Exception as e: │
│ │
│ ╭───────────────────────────────── locals ─────────────────────────────────╮ │
│ │ args = () │ │
│ │ kwargs = { │ │
│ │ │ 'raw_input': '[{"type": "gomod","path": │ │
│ │ "redacted"}]', │ │
│ │ │ 'source': PosixPath('/var/workdir/source'), │ │
│ │ │ 'output': PosixPath('/var/workdir/cachi2/output'), │ │
│ │ │ 'dev_package_managers': False, │ │
│ │ │ 'cgo_disable': False, │ │
│ │ │ 'force_gomod_tidy': False, │ │
│ │ │ 'gomod_vendor': False, │ │
│ │ │ 'gomod_vendor_check': False │ │
│ │ } │ │
│ ╰──────────────────────────────────────────────────────────────────────────╯ │
...
MartinBasti Finder
Impact
Secrets may be shown in logs when an unhandled exception is triggered, because typer framework is logging locals of each function.
This may uncover secrets if Cachi2 is used in CI/build pipelines as it's the main use case.
Example of log:
Patches
d6638e5
Workarounds
N/A
References
https://typer.tiangolo.com/tutorial/exceptions/?h=#disable-local-variables-for-security