Value of Decryped Databag Being Returned in chef-client Logs

Chef Infra (archive)
1

Hi there,

I have a data bag that is used as part of a chef recipe.

When I execute a chef-client command that runs this recipe, the data bag is decrypted and its unencrypted value is logged as part of the chef-client output.

Is there a way that I can prevent this happening?

Thanks,
Sean

2

There is a sensitive flag on resource you can set

3

@jasonf Thanks for this!

Should I apply this flag to the data bag itself? Or to the data bag item?

4

When is the reveal of the sensitive data happening? It should not be happening at decryption. Usually it is when you try and use the decrypted data to write out a template or by calling some orher type of chef resoutce.

template '[pathe to file]' do
  source 'template.erb'
  sensitive true
end
5

@dgames-email Thanks for this.

As for when the reveal is happening, I am not sure but here is an extract from the chef-client logs:

[2019-11-06T13:25:41+00:00] INFO: Loading cookbooks [Cookbook1@1.0.0, Cookbook2@0.0.3, Cookbook3@1.0.4, Cookbook4@0.0.3, Cookbook5@2.7.0, Cookbook6@0.0.3, Cookbook7@1.0.0, Cookbook8@2.1.0]
[2019-11-06T13:25:43+00:00] INFO: Additional Chef Arguments to be passed to installer: {"product"=>"ProductName", "cookbook_name"=>"CookbookName", "version"=>"1.5.24", "Install_Version"=>".1", "sourcedirectory"=>"D:\\","Password"=>"xxxxx"}
[2019-11-06T13:25:43+00:00] INFO: Scrubbing: xxxxx

Where xxxxx is the password rendered in plain text.

6

I have created a new Environment Default Attribute, 'password' and set the following attribute type:

{"sensitive":true}

But it seems that the password is still being returned in the chef-client log.

7

Apologies for wasting your time on this y'all but it seems like this logic is contained in one of one of our cookbooks:

  # commandline length limit? YES! 8200
  # concat all environment variables under the nuget product bag into a ;-separated key-value-pair string
  arr_additional_args = []
  flattened_args = flatten_hash(node[new_resource.cookbook_name])

  Chef::Log.info("Additional Chef Arguments to be passed to installer: #{flattened_args}")

  flattened_args.each_key do |key|
    if key.upcase.include? "PASSWORD" or key.include? "PWD" or key.include? "SCRUB"
      flattened_args[key] = msBuildScrubString(flattened_args[key])
    end
  end

  flattened_args.each_pair {|k,v| arr_additional_args.push("#{k}=#{v}") }

  Chef::Log.debug("Chef Arguments array after: #{arr_additional_args}")

  #If the arguments have semi-colons, comma, quote or double quote in them it will break msbuild property string: replace them with appropriate encoded characters - they will be automatically restored in MSbuild.

  arr_additional_args.map!{|v| v.gsub(";","%3B")}
  arr_additional_args.map!{|v| v.gsub(",","%2C")}
  arr_additional_args.map!{|v| v.gsub("'","%27")}
  arr_additional_args.map!{|v| v.gsub('"',"%22")}

  additional_args = arr_additional_args.join(";")


  Chef::Log.info("Additional Chef Arguments to be passed to installer: #{additional_args}")

I guess I will have to include some conditional logic in here to check for the presence of the 'sensitive' attribute and if its value is set to 'true' not to log these.

Thanks for your replies and I hope that this this helps someone else.

8

Apologies again - this is in one of the cookbook providers.

Again, hope this helps!