Please no. These things can leak out in a million other ways (e.g. if you publish logs), it's better to just scrub them prior to publishing with a post-script. Having secrets in bitbake variables is a bad idea to begin with.
Alex On Wed, 26 Jul 2023 at 13:10, Enrico Scholz via lists.openembedded.org <[email protected]> wrote: > > From: Enrico Scholz <[email protected]> > > Some integrations require that passwords or secret tokens are > assigned to bitbake variables. E.g. the meta-dependencytrack > layer has a 'DEPENDENCYTRACK_API_KEY' or my sstate-server requires > a 'SSTATE_SERVER_SESSION' token. > > These secrets will appear in testdata.json which can easily leak them > when the deploy directory is published publicly. > > Patch adds a special 'secrets' flag for variables. When a variable is > marked with it, its content will be replaced by '**masked**'. > > E.g. formerly > > | "SSTATE_SERVER_PATH": "HKBOZ8C279S4iwBA", > | "SSTATE_MIRRORS": " ... > https://sstate..../api/v1/download/HKBOZ8C279S4iwBA/sstate/... > > and now > > | "SSTATE_SERVER_PATH": "**masked**", > | "SSTATE_MIRRORS": " ... > https://sstate..../api/v1/download/**masked**/sstate > > Corresponding bbclass contains > > | SSTATE_SERVER_PATH ??= "-" > | SSTATE_SERVER_PATH[secret] = "true" > > Signed-off-by: Enrico Scholz <[email protected]> > --- > meta/lib/oe/data.py | 29 +++++++++++++++++++++++++++-- > 1 file changed, 27 insertions(+), 2 deletions(-) > > diff --git a/meta/lib/oe/data.py b/meta/lib/oe/data.py > index 37121cfad2b7..57a8e5b5e049 100644 > --- a/meta/lib/oe/data.py > +++ b/meta/lib/oe/data.py > @@ -5,7 +5,9 @@ > # > > import json > +import re > import oe.maketype > +import oe.types > > def typed_value(key, d): > """Construct a value for the specified metadata variable, using its flags > @@ -23,9 +25,10 @@ def typed_value(key, d): > except (TypeError, ValueError) as exc: > bb.msg.fatal("Data", "%s: %s" % (key, str(exc))) > > -def export2json(d, json_file, expand=True, searchString="",replaceString=""): > +def export2json(d, json_file, expand=True, searchString="",replaceString="", > mask_secrets=True): > data2export = {} > keys2export = [] > + secrets = [] > > for key in d.keys(): > if key.startswith("_"): > @@ -38,12 +41,34 @@ def export2json(d, json_file, expand=True, > searchString="",replaceString=""): > continue > elif d.getVarFlag(key, "func"): > continue > + elif mask_secrets and oe.types.boolean(d.getVarFlag(key, "secret") > or "false"): > + var = d.getVar(key) > + > + ## When secret variable contains a placeholder (is empty > + ## or single character), show it. When it is too short > + ## emit a warning and exclude it completely from output > + ## but do not mask out its value in other places. > + if var is None or len(var) < 2: > + bb.debug(1, "variable '%s' is marked as secret but seems to > contain some placeholder; showing it" % key) > + elif len(var) < 8: > + bb.warn("variable '%s' is marked as secret but content is > too short; skipping it" % key) > + continue > + else: > + secrets.append(re.escape(var)) > > keys2export.append(key) > > + if len(secrets) == 0: > + secrets = None > + else: > + secrets = re.compile('|'.join(secrets)) > + > for key in keys2export: > try: > - data2export[key] = d.getVar(key, > expand).replace(searchString,replaceString) > + var = d.getVar(key, expand).replace(searchString,replaceString) > + if secrets: > + var = secrets.sub("**masked**", var) > + data2export[key] = var > except bb.data_smart.ExpansionError: > data2export[key] = '' > except AttributeError: > -- > 2.41.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184877): https://lists.openembedded.org/g/openembedded-core/message/184877 Mute This Topic: https://lists.openembedded.org/mt/100368202/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
