1132202 - docker-worker: Redact accidentally leaked secrets from logs - search for secret substrings, replace with ***

Status: RESOLVED INVALID

(Taskcluster :: Workers, defect)

Description

[Jonas Finnemann Jensen (:jonasfj)]

When using encrypted environment variables, or if someday we inject temp creds into
the task container users could accidentally print these in the terminal.

I suggest that docker-worker maintains a list of secret substrings. It then greps
live log and logs for these substrings and replaces them with *****.

The feature should be enabled by default, but it should be possible to disable with a feature flag.
Note, that this helps prevent accidental leaks, it doesn't prevent intentional leaks.

Examples of strings to redact:
 - the variable name and variable value of encrypted environment variables
   (we know these can just grep the logs for them)
 - injected temporary credentials, we don't do inject these yet. But simply search
   replace for the generate clientId and accessToken would be trivial, as would
   replace the certificate string.

Users could accidentally leak these... With a simple `env` command in bash, which is useful for logging env vars in the log.
Again, this would only protect against accidental leaks. But if something is in an
encrypted env var it's probably not intended to be public).

Comment 1

[Dustin J. Mitchell [:dustin] (he/him)]

We are telling users not to use encrypted env vars, and we do not inject temporary credentials.  Secrets should come from the secrets API, which is not something docker-worker will be aware of.  So I don't think there's anything to fix here.