Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pulumi encrypts incorrectly strings with special characters #13564

Open
ahanoff opened this issue Apr 9, 2021 · 11 comments
Open

Pulumi encrypts incorrectly strings with special characters #13564

ahanoff opened this issue Apr 9, 2021 · 11 comments
Labels
area/docs Improvements or additions to documentation kind/documentation Improvements or additions to documentation kind/enhancement Improvements or new features

Comments

@ahanoff
Copy link

ahanoff commented Apr 9, 2021

I had password with special characters: 9#^XeshqnX$bG9vFPa@r7Ti98uo@sS, which I stored as pulumi config secret and then retrived it from config and stored as AWS SSM secret.
After comparison AWS SSM Secret value and original password don't match

Expected behavior

It should match of course

Current behavior

It doesn't match

Steps to reproduce

  1. Add pulumi secret with special characters (for example 9#^XeshqnX$bG9vFPa@r7Ti98uo@sS )
  2. Take that secret from config and stores it in AWS SecretsManager
  3. Retrieve AWS SecretsManager secret value and compare with original

Context (Environment)

Affected feature
@t0yv0 t0yv0 self-assigned this Apr 13, 2021
@t0yv0
Copy link
Member

t0yv0 commented Apr 13, 2021

Could you provide a script to reproduce? I currently cannot reproduce with this Python script:

import subprocess as sp

secret = """9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"""

p = sp.Popen('pulumi config set my_secret --secret', shell=True,
             stdout=sp.PIPE, stdin=sp.PIPE, stderr=sp.PIPE)

p.communicate(input=secret.encode('utf-8'))

secret2 = sp.check_output('pulumi config get my_secret', shell=True) \
            .decode('utf-8').strip()

assert secret == secret2, 'secret string does not turn around'

Note: since your string contains special characters you must be careful about escaping them correctly through your shell etc.

@ahanoff
Copy link
Author

ahanoff commented Apr 13, 2021

https://github.com/ahanoff/pulumi-secret-bug

@t0yv0 sure, please find minimal code to reproduce (I'm using nodejs with typescript). I added readme with steps that I did.

@t0yv0
Copy link
Member

t0yv0 commented Apr 13, 2021

What shell do you use? What does this print?

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"

In bash/zsh you need to apply escaping to certain characters like $.

@ahanoff
Copy link
Author

ahanoff commented Apr 13, 2021

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"
9#^XeshqnX@r7Ti98uo@sS

damn, you are right @t0yv0

@t0yv0
Copy link
Member

t0yv0 commented Apr 13, 2021

Closing, sounds like not a pulumi bug.

@t0yv0 t0yv0 closed this as completed Apr 13, 2021
@t0yv0 t0yv0 added the resolution/no-repro This issue wasn't able to be reproduced label Apr 13, 2021
@emirozmen07
Copy link

What shell do you use? What does this print?

echo "9#^XeshqnX$bG9vFPa@r7Ti98uo@sS"

In bash/zsh you need to apply escaping to certain characters like $.

Maybe, can we add a warning for this, for the zsh/bash terminals?

@Frassle
Copy link
Member

Frassle commented Dec 10, 2024

Maybe, can we add a warning for this, for the zsh/bash terminals?

How could we warn about it? By the time the pulumi process sees the text it's already been escaped by the shell. We'd have to warn on every input because potentially anything could have been escaped.

@emirozmen07
Copy link

emirozmen07 commented Dec 10, 2024
edited
Loading

True.

When you use single quote it prints without formatting the variables. Maybe if you use double quotes, it can be warned -if it's detectable-. Or this info could be recommended in the docs as a little note? It's not very important anyway but.

https://www.pulumi.com/docs/iac/concepts/secrets/

@Frassle
Copy link
Member

Frassle commented Dec 10, 2024

Or this info could be recommended in the docs as a little note?

We can do that.

@Frassle Frassle reopened this Dec 10, 2024
@Frassle Frassle transferred this issue from pulumi/pulumi Dec 10, 2024
@github-actions github-actions bot added the needs-triage Needs attention from the triage team label Dec 10, 2024
@Frassle Frassle added area/docs Improvements or additions to documentation and removed needs-triage Needs attention from the triage team resolution/no-repro This issue wasn't able to be reproduced labels Dec 10, 2024
@github-project-automation github-project-automation bot moved this to 🤔 Triage in Docs 📚 Dec 10, 2024
@thoward thoward moved this from 🤔 Triage to 🧳 Backlog in Docs 📚 Dec 11, 2024
@thoward
Copy link
Contributor

thoward commented Dec 11, 2024

@Frassle are you going to add this to the current sprint and pick this up or should we work this into our planning?

@thoward thoward added kind/enhancement Improvements or new features kind/documentation Improvements or additions to documentation labels Dec 11, 2024
@Frassle
Copy link
Member

Frassle commented Dec 11, 2024

If you can pick it up it would be grand. I've only got two days left before a long time off so I'm pretty thin on time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/docs Improvements or additions to documentation kind/documentation Improvements or additions to documentation kind/enhancement Improvements or new features
Projects
Docs 📚
Status: 🧳 Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@t0yv0 @thoward @Frassle @ahanoff @emirozmen07