Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: Make the Certificates an unloggable type #145

Closed
ciroque opened this issue Nov 27, 2023 · 0 comments
Closed

SECURITY: Make the Certificates an unloggable type #145

ciroque opened this issue Nov 27, 2023 · 0 comments
Assignees
@4141done
Labels
must-fix security

Comments

@ciroque
Copy link
Collaborator

ciroque commented Nov 27, 2023

Describe the bug

Leaking certs in logs is not acceptable. To help ensure this doesn't happen make the Certificates type (internal/certification/certificates.go) unloggable as described here: https://www.commonfate.io/blog/prevent-logging-secrets-in-go-by-using-custom-types
@ciroque ciroque mentioned this issue Nov 27, 2023
Merged
4 tasks
@4141done 4141done self-assigned this Nov 28, 2023
4141done added a commit that referenced this issue Dec 15, 2023
@4141done
fix: use SecretBytes type for cert values to prevent accidental print…
2ee0441 
…ing (#147)

We save the values of the provided certs that we retrieve from Kubernetes secrets in the `Certificates` attribute on the `Certificates` struct.

This is sensitive information that we want to make sure stays out of the logs and any stack traces. A common approach to this is to create a type definition for sensitive values that implements `Stringer` and `JSON` interfaces and cast the sensitive data to that value.

Fixes issues #145
@ciroque ciroque closed this as completed Dec 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@4141done 4141done

Labels
must-fix security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ciroque @4141done