Please fill out the sections below to help us address your issue
In a rails 6 application, I'm using Cognito to manage user authentication. I recently noticed that calls' logs are automatically added to the logs but there is an issue - Cognito initiate_auth method with auth_flow: "USER_PASSWORD_AUTH" is exposing the password provided by the user:
[Aws::CognitoIdentityProvider::Client 200 1.012806 0 retries] initiate_auth(client_id:"[FILTERED]",auth_flow:"USER_PASSWORD_AUTH",auth_parameters:{"USERNAME"=>"[email protected]","PASSWORD"=>"Test1234!"})
aws-sdk-core 3.67.0
aws-sdk-cognitoidentityprovider 1.25.0
ruby 2.6.3
Mac OS 10.13.6
my code:
COGNITO_CLIENT = Aws::CognitoIdentityProvider::Client.new
COGNITO_CLIENT.initiate_auth(
client_id: ENV['AWS_COGNITO_CLIENT_ID'],
auth_flow: 'USER_PASSWORD_AUTH',
auth_parameters: { 'USERNAME' => username, 'PASSWORD' => password }
)
The issue is related to the filter methods in https://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-core/lib/aws-sdk-core/log/param_filter.rb
def filter_hash(values)
filtered = {}
values.each_pair do |key, value|
filtered[key] = @filters.include?(key) ? '[FILTERED]' : filter(value)
end
filtered
end
During parsing :auth_parameters hash keys of this hash are actually string written in the capital letters, so they do not match symbols form SENSITIVE constant.
My suggestion is to include 'PASSWORD' or :auth_parameters in SENSITIVE constant or to add some parsing to the key in this method to make it more universal like:
def filter_hash(values)
filtered = {}
values.each_pair do |key, value|
key = key.downcase.to_sym
filtered[key] = @filters.include?(key) ? '[FILTERED]' : filter(value)
end
filtered
end
This change produces log like:
[Aws::CognitoIdentityProvider::Client 200 0.836941 0 retries] initiate_auth(client_id:"[FILTERED]",auth_flow:"USER_PASSWORD_AUTH",auth_parameters:{username:"[FILTERED]",password:"[FILTERED]"})
Hi @miqs1992 ,
Thank-you for bringing this issue, right now the AuthParametersType is designed as map, mapping from a string to string which can be found here. This needs to be changed/modified in the service model. I have reached out to the Cognito IDP team and provided them with all the information about this issue. I can reach back to you once I have a response from the team.
thanks for the response. It was my last day before vacations so I wasn't able to take a deeper look at the Cognito code. I made a temporary fix, but it would be nice to fix this issue at the gem level.
Soft update - changes have been made upstream, they should be deployed into the SDKs when the Cognito team makes an API update.
Hi all - this is a pretty serious security issue. Logging passwords in plaintext should _never_ be okay.
I've got a fix similar to @miqs1992's suggestion above that should resolve the issue. Should I submit a PR?
cc @mullermp
PR submitted: https://github.com/aws/aws-sdk-ruby/pull/2219
Another soft update - @jessedoyle Cognito team has already made the change to their service model and staged in a feature release set in mid Feb.
This looks to have been updated by Cognito today. Can you verify @jessedoyle @miqs1992 ? https://github.com/aws/aws-sdk-ruby/blame/master/apis/cognito-idp/2016-04-18/api-2.json#L2587-L2591
Going to close this now. Reopen if needed.
@mullermp still has same problem with aws-sdk-s3 (1.60.2) version and aws-sdk-cognitoidentityprovider (1.32.0)
Yeah, confirmed. Opened back up https://github.com/aws/aws-sdk-ruby/pull/2219 as well as an apology for being wrong :(