New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential credentials leak when setting environmentVariables #19
Comments
Another thing about the environmentVariables setting that I find confusing is that it only adds gradle-vagrant-plugin/src/main/groovy/com/bmuschko/gradle/vagrant/tasks/Vagrant.groovy Line 79 in 292129f
|
I agree with your analysis. We should probably remove envp from the console output.
Let's fix that as well. |
Hey, This should get a CVE number assigned to it. Can you open a Github security advisory against the repo. Happy to assist with disclosure. |
@JLLeitschuh Can you provide a link that explains the process? |
Hey @bmuschko, Here's the link to the place you can create an advisory against your repository. Feel free to add me if you'd like assistance here. I have a lot of experience in this area. https://github.com/bmuschko/gradle-vagrant-plugin/security/advisories Here's the documentation about GitHub Security Advisories. |
This has been assigned CVE-2021-21361 |
Problem
Currently if
environmentVariables
is set, this will cause the whole environment from the Gradle process to be inherited to the vagrant command. This is then printed on info level to the console log.Context
A common pattern for injecting credentials into the build process on build servers is to set them as environment variables on the build tool process. This way e.g. the credentials for deploying to maven central can be passed the Gradle tasks that need them.
So when my build executes a Vagrant task that has some environment variables set and also has reads some credentials from the environment, this may leak the credentials to build scans and the build server log.
Options
verbose
configuration flag to control whether or not the command and environment should be printed to the log. It should default tofalse
.The text was updated successfully, but these errors were encountered: