Core: [SECURITY] HA Log expose secrets

Created on 20 May 2020 · 9Comments · Source: home-assistant/core

The problem

Home Assistant logs expose password, tokens... from secret file. I think all integrations are affected using the secrets file.

Environment

Home Assistant Core release with the issue: v.0.110.0
Last working Home Assistant Core release (if known):
Operating environment (Home Assistant/Supervised/Docker/venv): Docker Supervised
Integration causing this issue: Tuya, http (Maybe it happens in others)
Link to integration documentation on our website:
- https://www.home-assistant.io/integrations/tuya/
- https://www.home-assistant.io/integrations/http/

Problem-relevant `configuration.yaml`

http:
  base_url: !secret domain
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

tuya:
  username: !secret tuya_user
  password: !secret tuya_password
  country_code: !secret tuya_country

Traceback/Error logs

2020-05-20 19:57:15 WARNING (MainThread) [homeassistant.components.tuya] The 'tuya' option (with value 'OrderedDict([('username', xxxxx), ('password', 'xxxxx'), ('country_code', 34)])') is deprecated, please remove it from your configuration

2020-05-20 19:57:03 WARNING (MainThread) [homeassistant.components.http] The 'base_url' option (with value 'https://xxxx.duckdns.org:8123') is deprecated, please remove it from your configuration

Additional information

in progress http tuya

Source

RodrigoTomeES

👍5

Most helpful comment

@RodrigoTomeES That is fine! I just mentioned it so for example, the maintainer of Tuya isn't pulling his hair out 😉

frenck on 21 May 2020

👍2 🎉1

All 9 comments

This is actually not the tuya or http at fault, this is the general deprecation logic of Home Assistant that causes this.

frenck on 21 May 2020

Hey there @ollo69, mind taking a look at this issue as its been labeled with a integration (tuya) you are listed as a codeowner for? Thanks!
_{^{(message by CodeOwnersMention)}}

probot-home-assistant[bot] on 21 May 2020

This is actually not the tuya or http at fault, this is the general deprecation logic of Home Assistant that causes this.

Yes, I also thought that, but I put those integrations because the template asks for the integrations that have the problem and I thought that it was necessary. This is the first issue that I report in this repository.

RodrigoTomeES on 21 May 2020

@RodrigoTomeES That is fine! I just mentioned it so for example, the maintainer of Tuya isn't pulling his hair out 😉

frenck on 21 May 2020

👍2 🎉1

maybe a stupid question but after the latest update of HA i have that to
do we have to do anything?

mantaalex on 25 May 2020

maybe a stupid question but after the latest update of HA i have that to
do we have to do anything?

You can either wait for it to be fixed in a future update or fix the warnings, with this your secrets should be disappear from logs.

In both cases when you fix it, you should delete logs to remove your old warnings with secrets.

RodrigoTomeES on 25 May 2020

maybe a stupid question but after the latest update of HA i have that to
do we have to do anything?

You can either wait for it to be fixed and post an update or fix the warnings and it won't appear. In both cases when you fix you delete logs.

oh ok so the best thing i do is waiting to update the latest HA update to 0.110
till its fixed?
or could the error be just ignored because i see most things work for me (just giving error) and stay on the lastest 0.110.2

mantaalex on 25 May 2020

@mantaalex You can ignore. The reason why I opened the issue was because the bug is a security problem.
It doesn't affect to correctly work of Home Assistant.

RodrigoTomeES on 25 May 2020

@mantaalex You can ignore. The reason why I opened the issue was because the bug is a security problem.
It doesn't affect to correctly work of Home Assistant.

ok many thanks for the reply !

mantaalex on 25 May 2020

Was this page helpful?

0 / 5 - 0 ratings