Skip to content

Dev#122

Merged
vsilent merged 4 commits intomainfrom
dev
Mar 2, 2026
Merged

Dev#122
vsilent merged 4 commits intomainfrom
dev

Conversation

@vsilent
Copy link
Collaborator

@vsilent vsilent commented Mar 2, 2026

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 2, 2026
View reviewed changes
src/console/commands/cli/ssh_key.rs
let _ = channel.eof().await;
let _ = handle.disconnect(russh::Disconnect::ByApplication, "", "English").await;

println!("✓ Vault public key injected into {}@{}:{} authorized_keys", username, host, port);

Check failure

Code scanning / CodeQL

Cleartext logging of sensitive information High

This operation writes
username
Loading
to a log file.

Copilot Autofix

AI 2 days ago

In general, to fix cleartext logging of sensitive information, avoid including raw sensitive values (credentials, identifiers tied to infrastructure, etc.) in log or console messages. If context is needed, log only non-sensitive metadata or a redacted/hashed form.

For this specific case, the fix is to change the success message on line 387 so it no longer prints the username value (and, if desired, reduce other connection detail exposure). This preserves behavior (indicating success) without exposing user-specific identifiers. The minimal change is to remove username from the println! format string and its argument list. No new imports or helper methods are required; we only edit the println! call in src/console/commands/cli/ssh_key.rs.

Concretely:

  • Locate the println! on line 387.
  • Replace the formatted string "✓ Vault public key injected into {}@{}:{} authorized_keys" with a message that does not interpolate username, e.g. "✓ Vault public key injected into remote authorized_keys", or, if you still want host/port, "✓ Vault public key injected into {}:{} authorized_keys".
  • Remove username from the argument list to match the new format string.
    All other logic remains unchanged.
Suggested changeset 1
src/console/commands/cli/ssh_key.rs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/console/commands/cli/ssh_key.rs b/src/console/commands/cli/ssh_key.rs
--- a/src/console/commands/cli/ssh_key.rs
+++ b/src/console/commands/cli/ssh_key.rs
@@ -384,7 +384,7 @@
     let _ = channel.eof().await;
     let _ = handle.disconnect(russh::Disconnect::ByApplication, "", "English").await;
 
-    println!("✓ Vault public key injected into {}@{}:{} authorized_keys", username, host, port);
+    println!("✓ Vault public key injected into remote authorized_keys on {}:{}", host, port);
     println!();
     println!("You can now run:  stacker deploy");
 
EOF
@@ -384,7 +384,7 @@
let _ = channel.eof().await;
let _ = handle.disconnect(russh::Disconnect::ByApplication, "", "English").await;

println!("✓ Vault public key injected into {}@{}:{} authorized_keys", username, host, port);
println!("✓ Vault public key injected into remote authorized_keys on {}:{}", host, port);
println!();
println!("You can now run: stacker deploy");

Copilot is powered by AI and may make mistakes. Always verify output.
@vsilent vsilent merged commit 50d3569 into main Mar 2, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vsilent