[subscription_manager] Obfuscate proxy password from curl cmdline

Curl to https://subscription.rhsm.redhat.com contains proxy password in plaintext. That is visible in process listing, stored in cmd output filename and kept in few other places (manifest, sos.log,..). When proxy password is set, use an auxiliary curl config file to store the password. Resolves: #3880 Signed-off-by: Pavel Moravec <[email protected]>
sosreport · Dec 13, 2024 · f4d1977 · f4d1977
1 parent 279ea13
commit f4d1977
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/sos/report/plugins/subscription_manager.py b/sos/report/plugins/subscription_manager.py
@@ -8,6 +8,7 @@
 
 from configparser import NoOptionError, NoSectionError
 import glob
+from os import remove
 from sos.report.plugins import Plugin, RedHatPlugin
 
 
@@ -21,6 +22,8 @@ class SubscriptionManager(Plugin, RedHatPlugin):
     files = ('/etc/rhsm/rhsm.conf',)
     packages = ('subscription-manager',)
 
+    curl_config = 'rhsm_curl_cfg'
+
     def get_proxy_string(self, config):
         """ return curl options --proxy[-user] per RHSM config """
         proxy = ""
@@ -33,10 +36,16 @@ def get_proxy_string(self, config):
             proxy = f"--proxy {proxy_scheme}://{proxy_hostname}{proxy_port}"
         proxy_user = config.get('server', 'proxy_user')
         if proxy and proxy_user:
-            proxy += f" --proxy-user {proxy_user}"
-            proxy_password = config.get('server', 'proxy_password')
-            if proxy_password:
-                proxy += f":{proxy_password}"
+            proxy_pass = config.get('server', 'proxy_password')
+            if proxy_pass:
+                self._curl_cfg_fname = self.archive.dest_path(self.curl_config)
+                with open(self._curl_cfg_fname, 'w', encoding='utf-8') as _f:
+                    _f.write(
+                        f"--proxy-user {proxy_user}:{proxy_pass}"
+                    )  # codeql[py/clear-text-storage-sensitive-data]
+                proxy += f" --config {self._curl_cfg_fname}"
+            else:
+                proxy += f" --proxy-user {proxy_user}"
         return proxy
 
     def get_server_url(self, config):
@@ -114,5 +123,8 @@ def postproc(self):
         regexp = r"(password(\s)*=(\s)*)(\S+)\n"
         repl = r"\1********\n"
         self.do_path_regex_sub("/var/lib/rhsm/repo_server_val/*", regexp, repl)
+        # if curl used config file to hide proxy password, remove the file
+        if self._curl_cfg_fname:
+            remove(self._curl_cfg_fname)
 
 # vim: et ts=4 sw=4