-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Avoid logging token in RunDeleteTokens #94727
kubeadm: Avoid logging token in RunDeleteTokens #94727
Conversation
Welcome @mlevesquedion! |
Hi @mlevesquedion. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mlevesquedion
/ok-to-test
return errors.Errorf("given token %q didn't match pattern %q or %q", | ||
tokenIDOrToken, bootstrapapi.BootstrapTokenIDPattern, bootstrapapi.BootstrapTokenIDPattern) | ||
return errors.Errorf("given token didn't match pattern %q or %q", | ||
bootstrapapi.BootstrapTokenIDPattern, bootstrapapi.BootstrapTokenIDPattern) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here we can assume if the token pattern is invalid, the token is invalid. so printing it here as part of the error can only be problematic if a good token is part of the message - e.g. valid-tokenfoo
, where if foo
is removed one can get the token.
in any case this change is fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the PR
/lgtm
/approve
/priority backlog
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mlevesquedion, neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/milestone v1.20 |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR fixes a (small) vulnerability in
kubeadm
. I have reported the vulnerability to HackerOne and they have informed me that based on the high attack complexity and low severity, they think this can be reported and fixed publicly. Details are in this issue: kubernetes/kubeadm#2287Does this PR introduce a user-facing change?: