Don't log password command, even in debug mode

2024-11-10 09:03:02 +08:00 · 2023-05-04 12:00:21 +02:00 · 2023-05-04 12:00:21 +02:00 · 301c686727
commit 301c686727
parent 415d8b12f1
2 changed files with 14 additions and 4 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -11,6 +11,7 @@ In order to avoid a potential attack, the config file has to be world readable o
 # NPF-SEC-00003: Avoid password command divulgation

 Password command is encrypted in order to avoid it's divulgation if config file is world readable.
+Password command is also not logged.

 # NPF-SEC-00004: Client should never know the repo password

--- a/npbackup/core/runner.py
+++ b/npbackup/core/runner.py
@ -12,7 +12,7 @@ __build__ = "2023020201"

 from typing import Optional, Callable, Union, List
 import os
-from logging import getLogger
+import logging
 import queue
 import datetime
 from functools import wraps
@ -26,7 +26,7 @@ from npbackup.__main__ import __intname__ as NAME, __version__ as VERSION
 from npbackup import configuration


-logger = getLogger(__intname__)
+logger = logging.getLogger(__intname__)


 def metric_writer(config_dict: dict, restic_result: bool, result_string: str):
@ -224,9 +224,14 @@ class NPBackupRunner:
            try:
                password_command = self.config_dict["repo"]["password_command"]
                if password_command and password_command != "":
+                    # NPF-SEC-00003: Avoid password command divulgation
+                    cr_logger = logging.getLogger("command_runner")
+                    cr_loglevel = cr_logger.getEffectiveLevel()
+                    cr_logger.setLevel(logging.ERROR)
                    exit_code, output = command_runner(
                        password_command, shell=True, timeout=30
                    )
+                    cr_logger.setLevel(cr_loglevel)
                    if exit_code != 0 or output == "":
                        logger.error(
                            "Password command failed to produce output:\n{}".format(
@ -234,6 +239,9 @@ class NPBackupRunner:
                            )
                        )
                        can_run = False
+                    elif '\n' in output.strip():
+                        logger.error("Password command returned multiline content instead of a string")
+                        can_run = False
                    else:
                        password = output
                else:
@ -329,8 +337,9 @@ class NPBackupRunner:
        try:
            if env_variables:
                for env_variable in env_variables:
-                    key, value = env_variable.split("=")
-                    expanded_env_vars[key.strip()] = value.strip()
+                    if env_variable:
+                        key, value = env_variable.split("=")
+                        expanded_env_vars[key.strip()] = value.strip()
        except (KeyError, AttributeError, TypeError, ValueError):
            logger.error("Bogus environment variables defined in configuration.")
            logger.debug("Trace:", exc_info=True)