Bug #38273
closed
flatpak-remote create writes the token string to production.log in plaintext
Description
Issue cloned from https://issues.redhat.com/browse/SAT-31304
When creating flatpak remote in Satellite, the flatpak token value from https://access.redhat.com/terms-based-registry/ is written to the production.log in plaintext. That allows any user on the Satellite system to read it.
Steps to Reproduce:
1. Generate flatpak token on https://access.redhat.com/terms-based-registry/
2. Create a flatpak remote in Satellite pointing to Redhat flatpak remote:export FLATPAK_TOKEN="your_token" @@
hammer flatpak-remote create --name="Redhat flatpak" --url="https://flatpaks.redhat.io/rhel" --organization-id=1 --username="your_username" --token="$FLATPAK_TOKEN"
3. Search in /var/log/foreman/production.log for `https://flatpaks.redhat.io/rhel`:$ grep https://flatpaks.redhat.io/rhel /var/log/foreman/production.log
2025-02-20T16:03:58 [I|app|40a9f219] Parameters: {"name"=>"Redhat flatpak", "url"=>"https://flatpaks.redhat.io/rhel", "organization_id"=>1, "username"=>"pmoravec's_username", "token"=>".......", "api_version"=>"v2", "flatpak_remote"=>{"name"=>"Redhat flatpak", "url"=>"https://flatpaks.redhat.io/rhel", "organization_id"=>1, "username"=>"pmoravec's_username", "token"=>".............."}}
Updated by The Foreman Bot 4 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/Katello/katello/pull/11339 added
Updated by Quinn James 3 days ago
- Status changed from Ready For Testing to Closed
Applied in changeset katello|56d9f30ef9fd6f7e186dc0dbfbec0edc345b114d.