Skip to content

IDP: avoid logging value of 'idp_client_secret' #8332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alexey-tikhonov wants to merge 2 commits into
base: master
Choose a base branch
from
Open

IDP: avoid logging value of 'idp_client_secret' #8332

alexey-tikhonov wants to merge 2 commits into from
+32 −18

Conversation

@alexey-tikhonov
Copy link
Member

@alexey-tikhonov alexey-tikhonov commented Jan 7, 2026

No description provided.

@alexey-tikhonov alexey-tikhonov added the no-backport This should go to target branch only. label Jan 7, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 7, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to prevent logging the sensitive idp_client_secret value. The changes introduce a specific check in dp_get_options to avoid printing the secret's value, which is a good security improvement. The PR also refactors the debug logging level for option processing to a more appropriate level and consistently uses a macro for the secret's key. However, the fix is incomplete as a similar logging vulnerability remains in another function within the same file, which could still lead to secret leakage. This critical issue needs to be addressed.

@alexey-tikhonov alexey-tikhonov added the Trivial A single reviewer is sufficient to review the Pull Request label Jan 7, 2026
@alexey-tikhonov alexey-tikhonov marked this pull request as ready for review January 7, 2026 21:09
@sumit-bose
Copy link
Contributor

sumit-bose commented Jan 8, 2026

Hi,

thank you for the patch. Have you considered to change the type of the option from DP_OPT_STRING to DP_OPT_BLOB to avoid logging the value as we already do e.g. for ldap_default_authtok?

bye,
Sumit

@alexey-tikhonov
Copy link
Member Author

alexey-tikhonov commented Jan 8, 2026

Have you considered to change the type of the option from DP_OPT_STRING to DP_OPT_BLOB to avoid logging the value as we already do e.g. for ldap_default_authtok?

I did.
But IIUC this would allow to configure non-ascii characters in the value and wasn't sure if 'oidc_child' would need additional filtering then.

@sumit-bose
Copy link
Contributor

sumit-bose commented Jan 8, 2026

Have you considered to change the type of the option from DP_OPT_STRING to DP_OPT_BLOB to avoid logging the value as we already do e.g. for ldap_default_authtok?

I did. But IIUC this would allow to configure non-ascii characters in the value and wasn't sure if 'oidc_child' would need additional filtering then.

I thought it is only about \0 in the value, DP_OPT_STRING would allow non-ascii like UTF-8 as well?

While talking about oidc_child, can you fix the logging in read_client_secret_from_stdin() as well?

Thanks.

bye,
Sumit

@alexey-tikhonov
IDP: avoid logging value of 'idp_client_secret'
ccbb09a 
Note that 'ldap_default_authtok' doesn't require special handling
because it is of DP_OPT_BLOB type and isn't logged.
@alexey-tikhonov
Copy link
Member Author

alexey-tikhonov commented Jan 8, 2026

Have you considered to change the type of the option from DP_OPT_STRING to DP_OPT_BLOB to avoid logging the value as we already do e.g. for ldap_default_authtok?

I did. But IIUC this would allow to configure non-ascii characters in the value and wasn't sure if 'oidc_child' would need additional filtering then.

I thought it is only about \0 in the value, DP_OPT_STRING would allow non-ascii like UTF-8 as well?

The questions is: what should be the type of this option from idp-provider/oidc_child point of view?
I thought it was 'string', not 'blob'.
If that's the case I still think that dp_get_options() needs to be fixed, not type of the option changed just because this would change logging behavior of some utility function (this is fragile - nothing will prevent changing this utility function to log blob values as well later).

A better solution would be introduction of a new 'DP_OPT_SENSITIVE_STRING' that would have proper d-tor and serve as a reminder "do not log me", but this would be much more invasive.

As to ldap_default_authtok, I thought it has BLOB type because it can have type 'obfuscated_password' and this is really a set of random bytes, no? I might be wrong here.

While talking about oidc_child, can you fix the logging in read_client_secret_from_stdin() as well?

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sumit-bose sumit-bose Awaiting requested review from sumit-bose

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@sumit-bose sumit-bose

Labels

no-backport This should go to target branch only. Trivial A single reviewer is sufficient to review the Pull Request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexey-tikhonov @sumit-bose