Comments (8)
Hello,
wordmove consider secrets string the followings:
secrets << options.dig(env, :database, :password)
secrets << options.dig(env, :database, :host)
secrets << options.dig(env, :vhost)
secrets << options.dig(env, :ssh, :password)
secrets << options.dig(env, :ssh, :host)
secrets << options.dig(env, :ftp, :password)
secrets << options.dig(env, :ftp, :host)
secrets << options.dig(env, :wordpress_path)
where options
are all the keys in movefile.yml
and env
is the local
root key or any other root key representing a remote environment.
Thus only db password and host. Db name and db user are not intended as to be cencored.
Talking about the password, this is what I reproduce on same wordmove version as your
remote | mysqldump --host=[secret] --user=sshwordmove --password=[secret] --result-file="[secret]/wp-content/dump.sql" sshwordmove
Each string is censored using a really basic regular expression costructed like, e.g.: having
database:
host: 'myhost.com'
password: 'badpassword'
the regex will be myhost\.com|badpassword
. Each string's char is escaped to be used as literal into the resulting regex and strings are concatenated with an "or" |
.
That's FYI and for my revision and memory.
Problem is that I cannot imagine what's breaking the toy here. I'd really need to have a string in order to reproduce the failure. I know that the string is your DB password, but if you'd be able to change it and tell me the old failing one I could write a test in order to check what's happening.
The described logger behaviour has also a bit of test coverage here
wordmove/spec/logger/logger_spec.rb
Line 1 in 96e2b41
from wordmove.
The passwort contains a #
.
passwort: "R4ndom#+Str1nG"
The output shows a backslash:
remote | mysqldump --host=[secret] --user=[] --password=R4ndom\#+Str1nG [...]
You might want to add a testcase with |
as well as anything that would need to be escaped in a shell, like spaces, semicolons, quotes etc..
from wordmove.
Thank you very much for the string :) I'll do some testing ASAP trying to make it fail.
You might want to add a testcase with | as well as anything that would need to be escaped in a shell, like spaces, semicolons, quotes etc..
A word of context: I do not need to escape those string for the shell, but for the regex engine. Shell escaping exists and is implemented in the context of command execution. Here we're in the context of the stdout logger.
Moreover what I'm testing is that wordmove is able to substitute string on stdout, not the escape algorith self: Regexp.escape
is part of the ruby stdlib and doesn't need me to test it. But for sure adding some chars in the tested string could be useful.
I'll come back with news.
from wordmove.
Hi @castilma ,
I've done a bit of testing; you can read what I tested at https://github.com/welaika/wordmove/pull/642/files and see results at https://github.com/welaika/wordmove/runs/5167816431?check_suite_focus=true#step:7:6
I've tested the behaviour on top of the branch bringing the 6.0.alpha version: I'm not able to spend effort on the previous versions. But I had bet that involved code shuould have remained the same. Even if I'm wrong, I'd consider the bug fixed in the next candidate version, thus I'm not prone to consolidate the bug.
We're on the path to move 6.0 from alpha to beta since we've done some internal testing and some commuity driven testing too. I don't know if it could be possible for you, but I'd ask if you could do some testing with the alpha version.
Preliminary info about the upcoming version can be found at #624 and a user testing experience at #632
from wordmove.
How can I install 6.0 as ruby gem? Or do I need to clone the repo?
Here we're in the context of the stdout logger.
But doesn't the logger log the executed commandlines? And those contain the shellescaped secrets? So it should look for shellescaped secrets, too.
I left a review on #642.
from wordmove.
Thank you very much
from wordmove.
This is confirmed as a bug in the form that the script puts shell-escaped strings on STDOUT than search for secrets by using unescaped strings.
Stil not decied how to definitely approach the problem, but I've officialy to deal with it :)
Thanks again for the useful report and for the smart analysis
from wordmove.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from wordmove.
Related Issues (20)
- Only some one DB table was pushed to the remote HOT 3
- Enable / disable hook via .env HOT 4
- Question : Must --simulate option simulate database pulling (mysqldump) ? HOT 3
- Is this a typo ?? HOT 1
- Too many arguments error with vvv-wordmove HOT 3
- database pull fails at wp search-replace: "Error: This does not seem to be a WordPress installation." HOT 5
- WP login impossible after `pull -d`. Local installation redirects me to remote installation. HOT 4
- Database does not load on remote server when pushing from local HOT 2
- Mysqldump can't create/write to file
- "Error: This does not seem to be a WordPress installation" when using sql_adapter: wpcli HOT 3
- Error on pull: Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. HOT 4
- wordmove should ignore or warn about trailing slashes in 'vhost'
- DB pull fails with an JSON::ParserError error HOT 6
- 'Stack level too deep' error on Windows HOT 2
- Net::SSH::AuthenticationFailed when pulling db HOT 13
- SPELL_CHECKERS and psych-4.0.6 errors HOT 2
- net-ssh error when database move HOT 2
- Ruby error when pushing database over FTP HOT 2
- Password required on remote mysqldymp HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wordmove.