Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

C# library outputs secret information to the ASP.NET Kestrel log file #852

Open
1 task done
dmtooke-imm opened this issue Jun 18, 2024 · 2 comments
Open
1 task done
Labels
bug Something isn't working

Comments

@dmtooke-imm
Copy link

Steps To Reproduce

I'm using BWS to store database connections strings for an ASP.NET MVC application. In a simple example, this can be done like so:

protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
{
    if (!optionsBuilder.IsConfigured)
    {
	var accessToken = Environment.GetEnvironmentVariable("MY_TOKEN")!;
	var secretId = Guid.Parse(Environment.GetEnvironmentVariable("MY_SECRET")!)!;
	var bitwardenClient = new BitwardenClient();
	bitwardenClient.AccessTokenLogin(accessToken);
	var secretResponse = bitwardenClient.Secrets.Get(secretId);
    	string _connectionString = secretResponse.Value;
    	optionsBuilder.UseMySQL(_connectionString);
    }
}

At runtime, BWS is logging the secret data to the Kestrel log:

2024-06-18 09:41:20 {"accessTokenLogin":{"accessToken":"REDACTED"}}
2024-06-18 09:41:20 {"secrets":{"get":{"id":"REDACTED"}}}

Expected Result

That secret information would not be logged

Actual Result

Secret information is logged

Screenshots or Videos

No response

Additional Context

.NET 8

Operating System

Windows, Linux

Operating System Version

Windows 11, Linux Docker containers

Build Version

0.0.1-alpha

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@dmtooke-imm dmtooke-imm added the bug Something isn't working label Jun 18, 2024
@coltonhurst
Copy link
Member

Hey @dmtooke-imm, thanks for reporting this. We have verified this logging is no longer happening on the latest builds of the SDK. We will need to update our C# NuGet package though 🙂

I'll come back and update this thread once this happens.

@dmtooke-imm
Copy link
Author

Great, thanks. It's nice library and I hope it becomes fully supported and more widely advertised soon.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants