Page MenuHomeVyOS Platform
Create Task
Maniphest T5713

strip-private doesn't strip string after "secret"
Closed, ResolvedPublicBUG
Actions

Description

# show | strip-private| match secret
                 secret someactualstring

should not happen

Details

Difficulty level
Unknown (require assessment)
Version
1.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

sempervictus created this task.Nov 4 2023, 4:49 PM
Apachez added a subscriber: Apachez.Nov 4 2023, 6:44 PM

Do you have any example of in which context that exists?

According to https://github.com/vyos/vyos-1x/blob/current/src/helpers/strip-private.py OpenVPN and IPsec secrets should already be stripped:

# Strip OpenVPN secrets
(True, re.compile(r'(shared-secret-key-file|ca-cert-file|cert-file|dh-file|key-file|client) (\S+)'), r'\1 xxxxxx'),
# Strip IPSEC secrets
(True, re.compile(r'pre-shared-secret \S+'), 'pre-shared-secret xxxxxx'),
pasik added a subscriber: pasik.Nov 5 2023, 10:06 AM
sempervictus added a comment.Nov 5 2023, 2:39 PM

Yup, VPN site to site authentication credentials are stored as "secret" hence the patch.

c-po added a subscriber: c-po.Nov 5 2023, 7:40 PM
(20:39) cpo lnx01:~/vyos-1x [current] # git grep \"secret\" interface-definitions/
interface-definitions/vpn-ipsec.xml.in:                  <leafNode name="secret">
interface-definitions/vpn-l2tp.xml.in:                          <leafNode name="secret">
dmbaturin closed this task as Resolved.Jan 11 2024, 12:04 PM
dmbaturin claimed this task.