Log exposes secrets by aggressively trying to mask them

Whenever Drone sees text that matches a secret, it masks it with ****. This can lead to secrets being indirectly exposed, as in the following command:

terraform init

…which ends up in the log as:

**** init

…because I have a TERRAFORM_DB_USER secret whose value is terraform.

While this is a simple example, it will mask any text that matches a secret, and various commands like this expose the fact that there is a secret with the value of any masked data. I’ve seen this manifest in scenarios that actually expose passwords. Granted, they were poorly-chosen passwords, but it still exposes information.

With no masking at all, my logs don’t expose any secrets; everything secret is in environment variables, and their values aren’t printed. But with masking, despite my own precautions, some information has leaked.

In an extreme case, this could be used to launch a dictionary attack, if one could introduce the dictionary into the log output as a side-effect of some other action (say the build displays the contents of a remote file or some other external resource that an attacker has access to).

In practice, this doesn’t concern me, but it’s worth thinking about. In my example, I’d be better off if Drone didn’t try to hide the secrets at all.

early versions of drone did not mask secrets for this reason because we were concerned with accidentally exposing secrets (e.g. brute force dictionary attack). However, over the course of many years and many discussions, we decided the benefits outweighed the risks and our community has largely agreed. So at this time we view this as a feature, and we would rather error on the side of protecting strong secrets from being exposed.

How about an option to disable masking for a step if desired? I appreciate that this was considered and discussed, and I can respect where you landed, but I’d like masking disabled.

In addition to the concern mentioned above (which I don’t really care about in practice), it makes my logs less readable. I have the words “terraform”, “drone”, and others being masked in all my shell commands, and even things like URLs, to the point that the value of the logs is diminished.

Here’s an example:

mc cp --quiet $PLAN_FILE ******/terraform-plans/jim/example.com/51/$PLAN_FILE

Here, it’s redacting the URL of my Minio (S3) server, and the bucket name, because they happen to be in secrets. Now I’m losing valuable debugging information and I can’t copy the URL.

we don’t currently have an option to disable masking, but can consider such an option in the future.

1 Like