From 1c20d65206f6b413429f9c17f68197409a4d33d7 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 22 Jan 2025 11:22:34 -0700 Subject: [PATCH 1/2] Fix Credentials leaking in the debug log Fixes # GHSA-p989-2f5w-9cf6 A vulnerability was identified in Himmelblau versions 0.7.0 through 0.8.2: Logon Compliance Script Issue: When debug logging is enabled, user access tokens are inadvertently logged, potentially exposing sensitive authentication data. The issue poses a risk of exposing sensitive credentials, particularly in environments where debug logging is enabled. Signed-off-by: David Mulder --- src/common/src/unix_proto.rs | 13 ++++++++++++- src/daemon/src/daemon.rs | 7 +++++-- src/daemon/src/tasks_daemon.rs | 8 ++++++-- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/src/common/src/unix_proto.rs b/src/common/src/unix_proto.rs index 73b05784..032f8653 100644 --- a/src/common/src/unix_proto.rs +++ b/src/common/src/unix_proto.rs @@ -132,13 +132,24 @@ pub struct HomeDirectoryInfo { pub aliases: Vec, } -#[derive(Serialize, Deserialize, Debug, Clone)] +#[derive(Serialize, Deserialize, Clone)] pub enum TaskRequest { HomeDirectory(HomeDirectoryInfo), LocalGroups(String), LogonScript(String, String), } +impl TaskRequest { + /// Get a safe display version of the request, without credentials. + pub fn as_safe_string(&self) -> String { + match self { + TaskRequest::HomeDirectory(info) => format!("HomeDirectory({:?})", info), + TaskRequest::LocalGroups(groups) => format!("LocalGroups({})", groups), + TaskRequest::LogonScript(account_id, _) => format!("LogonScript({}, ...)", account_id), + } + } +} + #[derive(Serialize, Deserialize, Debug)] pub enum TaskResponse { Success(i32), diff --git a/src/daemon/src/daemon.rs b/src/daemon/src/daemon.rs index 8a3163f3..1a53954d 100644 --- a/src/daemon/src/daemon.rs +++ b/src/daemon/src/daemon.rs @@ -129,7 +129,10 @@ impl Encoder for TaskCodec { type Error = io::Error; fn encode(&mut self, msg: TaskRequest, dst: &mut BytesMut) -> Result<(), Self::Error> { - debug!("Attempting to send request -> {:?} ...", msg); + debug!( + "Attempting to send request -> {:?} ...", + msg.as_safe_string() + ); let data = serde_json::to_vec(&msg).map_err(|e| { error!("socket encoding error -> {:?}", e); io::Error::new(io::ErrorKind::Other, "JSON encode error") @@ -170,7 +173,7 @@ async fn handle_task_client( None => return Ok(()), }; - debug!("Sending Task -> {:?}", v.0); + debug!("Sending Task -> {:?}", v.0.as_safe_string()); // Write the req to the socket. if let Err(_e) = reqs.send(v.0.clone()).await { diff --git a/src/daemon/src/tasks_daemon.rs b/src/daemon/src/tasks_daemon.rs index 03e3c60c..33657260 100644 --- a/src/daemon/src/tasks_daemon.rs +++ b/src/daemon/src/tasks_daemon.rs @@ -346,8 +346,12 @@ async fn handle_tasks(stream: UnixStream, cfg: &HimmelblauConfig) { return; } } - other => { - error!("Error -> {:?}", other); + Some(Err(e)) => { + error!("Error -> {:?}", e); + return; + } + _ => { + error!("Error -> Unexpected response"); return; } } From df2266a05b1daba591a299e59213d60cf4709f55 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 22 Jan 2025 11:37:45 -0700 Subject: [PATCH 2/2] Version 0.7.15 Signed-off-by: David Mulder --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 40b7eded..8c31c424 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,7 +19,7 @@ members = [ resolver = "2" [workspace.package] -version = "0.7.14" +version = "0.7.15" authors = [ "David Mulder " ]