From 5284007c212aff8d3b4865dc41c05c85bc44f75b Mon Sep 17 00:00:00 2001 From: Phileco <132178579+krishnprakash@users.noreply.github.com> Date: Thu, 13 Mar 2025 07:32:20 +0530 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- public/cloudflare-one/static/authenticated-doh.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/public/cloudflare-one/static/authenticated-doh.py b/public/cloudflare-one/static/authenticated-doh.py index f9154c297258972..eac4bd50ee59684 100644 --- a/public/cloudflare-one/static/authenticated-doh.py +++ b/public/cloudflare-one/static/authenticated-doh.py @@ -146,8 +146,7 @@ def request(method, url, body): if client_id == "new": service_token_name = input('Please input name for service token > ') client_id, client_secret = request_create_service_token(service_token_name) - print( - f"Created service token with client_id {client_id} and client_secret {client_secret}. You may want to save these secrets.") + print(f"Created service token with client_id {client_id}. Please save the client_id and client_secret securely.") if len(client_secret) == 0: From 4368026ba64de424261c7d5a04e26d92043e46ba Mon Sep 17 00:00:00 2001 From: Phileco <132178579+krishnprakash@users.noreply.github.com> Date: Thu, 13 Mar 2025 07:36:52 +0530 Subject: [PATCH 2/2] Delete public/cloudflare-one/static/authenticated-doh.py --- .../static/authenticated-doh.py | 176 ------------------ 1 file changed, 176 deletions(-) delete mode 100644 public/cloudflare-one/static/authenticated-doh.py diff --git a/public/cloudflare-one/static/authenticated-doh.py b/public/cloudflare-one/static/authenticated-doh.py deleted file mode 100644 index eac4bd50ee59684..000000000000000 --- a/public/cloudflare-one/static/authenticated-doh.py +++ /dev/null @@ -1,176 +0,0 @@ -#!/usr/bin/env python3 - -import os -import subprocess -import json -import time -from pprint import pprint - -verbose = os.environ.get('VERBOSE', False) - - -def check_for_command(command): - try: - subprocess.check_output(["command", "-v", command]) - except: - print( - f"Couldn't find required {command} command.") - exit(1) - - -check_for_command("jq") -check_for_command("curl") - - -def read_string_option(env_name, human_name): - v = os.environ.get(env_name, '') - if len(v) == 0: - v = input(f"Please input {human_name} > ") - if len(v) == 0: - print("Invalid {human_name}") - return read_string_option(env_name, human_name) - return v - - -def request_create_user(user_name, user_email): - url = f"{CF_API}/{account_tag}/access/users" - # could also take a `custom` attribute with a map, e.g. {"custom": { "datacenter": "DFW" }} - body = {'name': user_name, 'email': user_email} - return request_post(url, body) - - -def request_list_client_ids(): - client_ids_response = request_get( - f"{CF_API}/{account_tag}/access/service_tokens/") - - return " ".join(response['client_id'] for response in client_ids_response['result']) - - -def request_create_service_token(service_token_name): - response = request_post( - f"{CF_API}/{account_tag}/access/service_tokens/", {'name': service_token_name}) - client_id = response['result']['client_id'] - client_secret = response['result']['client_secret'] - return (client_id, client_secret) - - -def request_list_service_tokens(): - return request_get(f"{CF_API}/{account_tag}/access/service_tokens/") - - -def request_enable_service_token_for_doh(service_token_id): - url = f"{CF_API}/{account_tag}/access/organizations/doh/{service_token_id}" - return request_put(url,"") - - -def request_doh_token(account_tag, user_id, client_id, client_secret): - url = f"https://{team_name}.cloudflareaccess.com/cdn-cgi/access/doh-token?account-id={account_tag}&user-id={user_id}&auth-domain={team_name}.cloudflareaccess.com" - command = ['curl', '-s', url, '-X', 'GET', - '-H', f"Cf-Access-Client-Id: {client_id}", - '-H', f"Cf-Access-Client-Secret: {client_secret}"] - if verbose: - sanitized_command = [arg if "Cf-Access-Client-Secret" not in arg else "Cf-Access-Client-Secret: [REDACTED]" for arg in command] - print(f"Issuing request {' '.join(sanitized_command)}") - response = json.loads(subprocess.check_output(command)) - if verbose: - print("Got response:") - pprint(response) - return response['token'] - - -def request_post(url, body): - return request("POST", url, body) - -def request_put(url, body): - return request("PUT", url, body) - -def request_get(url): - return request("GET", url, None) - - -def request(method, url, body): - command = ['curl', '-s', url, '-X', method, '-H', f"X-Auth-Email: {email}", '-H', - f"X-Auth-Key: {auth_key}", '-H', 'Content-Type: application/json'] - if body: - command.append('--data') - command.append(json.dumps(body)) - if verbose: - print(f"Issuing request {' '.join(command)}") - response = json.loads(subprocess.check_output(command)) - if 'errors' in response and len(response['errors']) > 0: - pprint(response) - exit(-1) - if verbose: - print("Got response:") - pprint(response) - return response - - -account_tag = read_string_option('CF_ACCOUNT_TAG', "account tag") -email = read_string_option('CF_EMAIL', "auth email") -auth_key = read_string_option('CF_AUTH_KEY', "auth key") -team_name = read_string_option('CF_TEAM_NAME', "team name") - -print(f"Using {account_tag} as account tag") -print(f"Using {email} as auth email") -print(f"Using {team_name} as team name") - -CF_API = "https://api.cloudflare.com/client/v4/accounts" - -user_id = os.environ.get('USER_ID', "") - -if len(user_id) == 0: - print("No USER_ID provided, creating one.") - user_name = input('Please input a user name > ') - user_email = input('Please input a user email > ') - response = request_create_user(user_name, user_email) - user_id = response['result']['id'] - user_email = print(f"Created user with ID {user_id}") -else: - print(f"Using USER_ID={user_id}") - -client_ids = request_list_client_ids() - -client_id = os.environ.get('CLIENT_ID', "") - -if len(client_id) == 0: - print(f"Found following client IDs: {client_ids}") - client_id = input( - 'Please input service token client ID ("new" to create a new one)> ') - -if len(client_id) != 0 and client_id != "new" and client_id not in client_ids: - print("Client ID not found in account") - exit(-1) - -client_secret = "" -if client_id == "new": - service_token_name = input('Please input name for service token > ') - client_id, client_secret = request_create_service_token(service_token_name) - print(f"Created service token with client_id {client_id}. Please save the client_id and client_secret securely.") - - -if len(client_secret) == 0: - client_secret = read_string_option('CLIENT_SECRET', "client secret") - -service_tokens_response = request_list_service_tokens() - -service_token_id = [result['id'] - for result in service_tokens_response['result'] if result['client_id'] == client_id][0] - - -print("Enabling DoH token generation for service token") -request_enable_service_token_for_doh(service_token_id) - -print("Obtaining new DoH token (this request may fail if the previous ones haven't propagated yet)") -try: - doh_token = request_doh_token(account_tag, user_id, client_id, client_secret) -except json.decoder.JSONDecodeError: - print("Request failed, waiting for 60 seconds before retrying") - time.sleep(60) - doh_token = request_doh_token(account_tag, user_id, client_id, client_secret) -print(f"\n\nGot token: {doh_token}\n") - -print("You can now make doh requests such as:\n" - f"curl 'https://{account_tag}.cloudflare-gateway.com/dns-query?name=example.com' \\\n" - " -H 'accept: application/dns-json' \\\n" - f" -H 'CF-Authorization: {doh_token}' | jq")