Aws-sdk-ruby: Aws::CognitoIdentityProvider::Client initiate_auth exposes user password in logs

Created on 20 Sep 2019  路  10Comments  路  Source: aws/aws-sdk-ruby

Please fill out the sections below to help us address your issue

Issue description

In a rails 6 application, I'm using Cognito to manage user authentication. I recently noticed that calls' logs are automatically added to the logs but there is an issue - Cognito initiate_auth method with auth_flow: "USER_PASSWORD_AUTH" is exposing the password provided by the user:

[Aws::CognitoIdentityProvider::Client 200 1.012806 0 retries] initiate_auth(client_id:"[FILTERED]",auth_flow:"USER_PASSWORD_AUTH",auth_parameters:{"USERNAME"=>"[email protected]","PASSWORD"=>"Test1234!"})

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-core 3.67.0
aws-sdk-cognitoidentityprovider 1.25.0

Version of Ruby, OS environment

ruby 2.6.3
Mac OS 10.13.6

Code snippets / steps to reproduce

my code:

COGNITO_CLIENT = Aws::CognitoIdentityProvider::Client.new
COGNITO_CLIENT.initiate_auth(
  client_id: ENV['AWS_COGNITO_CLIENT_ID'],
  auth_flow: 'USER_PASSWORD_AUTH',
  auth_parameters: { 'USERNAME' => username, 'PASSWORD' => password }
)

The issue is related to the filter methods in https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-core/lib/aws-sdk-core/log/param_filter.rb

def filter_hash(values)
  filtered = {}
  values.each_pair do |key, value|
    filtered[key] = @filters.include?(key) ? '[FILTERED]' : filter(value)
  end
  filtered
end

During parsing :auth_parameters hash keys of this hash are actually string written in the capital letters, so they do not match symbols form SENSITIVE constant.

My suggestion is to include 'PASSWORD' or :auth_parameters in SENSITIVE constant or to add some parsing to the key in this method to make it more universal like:

def filter_hash(values)
  filtered = {}
  values.each_pair do |key, value|
    key = key.downcase.to_sym
    filtered[key] = @filters.include?(key) ? '[FILTERED]' : filter(value)
  end
  filtered
end

This change produces log like:

[Aws::CognitoIdentityProvider::Client 200 0.836941 0 retries] initiate_auth(client_id:"[FILTERED]",auth_flow:"USER_PASSWORD_AUTH",auth_parameters:{username:"[FILTERED]",password:"[FILTERED]"})
service-api

All 10 comments

Hi @miqs1992 ,

Thank-you for bringing this issue, right now the AuthParametersType is designed as map, mapping from a string to string which can be found here. This needs to be changed/modified in the service model. I have reached out to the Cognito IDP team and provided them with all the information about this issue. I can reach back to you once I have a response from the team.

thanks for the response. It was my last day before vacations so I wasn't able to take a deeper look at the Cognito code. I made a temporary fix, but it would be nice to fix this issue at the gem level.

Soft update - changes have been made upstream, they should be deployed into the SDKs when the Cognito team makes an API update.

Hi all - this is a pretty serious security issue. Logging passwords in plaintext should _never_ be okay.

I've got a fix similar to @miqs1992's suggestion above that should resolve the issue. Should I submit a PR?

cc @mullermp

Another soft update - @jessedoyle Cognito team has already made the change to their service model and staged in a feature release set in mid Feb.

This looks to have been updated by Cognito today. Can you verify @jessedoyle @miqs1992 ? https://github.com/aws/aws-sdk-ruby/blame/master/apis/cognito-idp/2016-04-18/api-2.json#L2587-L2591

Going to close this now. Reopen if needed.

@mullermp still has same problem with aws-sdk-s3 (1.60.2) version and aws-sdk-cognitoidentityprovider (1.32.0)

Yeah, confirmed. Opened back up https://github.com/aws/aws-sdk-ruby/pull/2219 as well as an apology for being wrong :(

Was this page helpful?
0 / 5 - 0 ratings