Skip to content

Fix OTP secret leak in error message #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix OTP secret leak in error message #210

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions otp.bash
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ urldecode() {

# Parse a Key URI per: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
# Vars are consumed by caller
# shellcheck disable=SC2034
otp_parse_uri() {
local uri="$1"

Expand All @@ -60,11 +59,20 @@ otp_parse_uri() {

otp_uri=${BASH_REMATCH[0]}
otp_type=${BASH_REMATCH[1]}
# shellcheck disable=SC2034
otp_label=${BASH_REMATCH[3]}

otp_accountname=$(urldecode "${BASH_REMATCH[6]}")
[[ -z $otp_accountname ]] && otp_accountname=$(urldecode "${BASH_REMATCH[4]}") || otp_issuer=$(urldecode "${BASH_REMATCH[4]}")
[[ -z $otp_accountname ]] && die "Invalid key URI (missing accountname): $otp_uri"
if [[ -z $otp_accountname ]]; then
# Using sub-shell here to only apply extglob to this pattern and not change
# the behaviour of other parantheses in this script
redacted_otp_uri=$(
shopt -s extglob
echo "${otp_uri//secret=+([^&])/secret=REDACTED}"
)
die "Invalid key URI (missing accountname): $redacted_otp_uri"
fi

local p=${BASH_REMATCH[9]}
local params
Expand Down