Giters

google / shifter

Shifter - OpenShift workloads to GKE/Anthos

Home Page:https://shifter.cloud

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

BUG: RSA PRIVATE KEY was publicly exposed

aravindb26 opened this issue · comments

commented

Hi team, Hope you are doing well :)

I have found a bug in your repository: https://github.com/google/shifter/blob/173d6574b6010af21910f0f7ca9c43879b8720d0/okd-cluster/4.x/02-appdeployment/bank-of-anthos/kubernetes-manifests/jwt/jwt-secret.yaml

As it was ENCODED here in the form of
jwtRS256.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS3dJQkFBS0NBZ0VBNEd2Wk5Ta2o1aWlXYjJEWk0yZkN4NWJHR1lnd2FLNFNNc3lJOEs4b0ZRZXBMMTNZClJPWEt3NVMrbEVMSDlBZXRUZGNUQWRrYkN6eWFwU2RrM1Bxd3hoQ2FmNGtudktlUmk3NmNzRzZtYzBrcngxR0kKdFk2NVgrTnEwcWFSdkxkT09iRlFHbUlIeDc1emtaNjU0K2Z0dm52Q1k1T1BqVjQ0TGt0dTF3bHJCbXIyMjVRUwpGYklhOEE5NkJTcEp6S20wYWhLKzZyOFZ2dk9xMUJIR1pJSUtLR1E3L3pMdXhQT24rYzN3Q0YwVlFZMjBZNFhvCm8rRFZ0LyswTUk4T1p2ZEF1YWIyVVh1YitUaXdBZ0c3Njh5bkpQaDdla2xMdGR0QTFCR2dsWG1vRVI0eHZoaFgKUXNPUnRUaTYwRlpQWDdDM1YxcmxVZStyVTlCWTZDbHJXbGVKdGdCZjFYUi90Qm1MZGZCNFlWbkt0ekI3dkxDbApPS3VsdGFkdVNWbmZ2OEMwdXoxelBCWkl3WG5zVk83WHlTVlBBSkJUOFBWR1Iza2JnOW5FRGsvclZsS1lNSW5EClNPOFNITnlLTytrNnBUaG1hbW9xTUJKQkNwY0MrRzFVUFVxWWV1Szh3NjZaU3BLV2ZQY3RtWWViUHNraUpiS2UKT3JIVlUyRGo3enpkaW1MMmJlaHFTd1NpM3pBa2xXZjRGU0F6aC80enBENFdxM0lDd2NYbFBxYTU5T0IwcXFBQwp4NUFtRUZsdlF1VUkwcTZ3WjZ2cmxBWUsrTWRtNER2RkFVbFhzNW1mbDZPRnZ0YkZTZHF1ckU2SXROVnlSVlFBCmx6WFdtaEM4R3JXQklodDFPSkxXREtPNWx2Wm1KUS9sazdic1VyNCsyK05ObnNzTXBuTUI2QytJejZzQ0F3RUEKQVFLQ0FnRUFoQ0c3ZnpzN3NiVlA3VCsrWWkvRFZMUUc2dDF1Y3hPYUQyS3hkZFFLNjJiWlM5UWJFMldnWGtyagpjbk5uT3R5U1F2UlFjcFFiQWlDcWhIYVBRalF2aEU0ZVNOeStFcXN1WEhMYjJsMHJqMUVUZjRVWDBwMjNzeWM0CnE5SDZtSHZzaUxkSERHR1BaeUZROWZuWVJNRTNEeUhhcjdvZm1RSlNYWjk0SVErZ2ZlVFlkeXZWQWdVZEt4NVIKbjF6b21xR0lZYk9yeUphOC9QS0dMOXBQVHJucHRTSmUyTUJxS0hlMC9MVXRrQjhOOXN5eDJxN3E3Q0hpY3pVUQpLRTd5RWRtZHVERC9jYll2ZlNyTkprRlRIV0FmUVBzejZDbmpjNjBsbkRiTXIzVXphUEM0Sk00OEFra1hMdlc1CnVCUTVJNFB1VG5acjhqUUVVWktuNWZrTkJlSG9aNjlZVVp2eWdOcGJRaVMxWi9CRzYwVDVZN1VPY09wWVJ2bCsKL0dSNUFSNnpZQVJKbTBKNmg3U2NsdGhLSjdaVnFldWV5U3B1UG9mTjg0V241Zm1mbWdsR2F0dlc4KzFGR2ZNRQppWGxHbzhHQ1ZyampzN013a0pMT3Jlc0lRblFWK3ZmWC95Nk9WRExMS21yeGJCT3BPcm5TK01icnFoOXBsRGFICks1N0VOVngzWWxVd2M3bFRHd2Q2cS9nVnhSWDZRc1F3VEl5UHVOOUozMWd0dXRCeS9FTVVGc1hJenJhRmRIQzgKZXVlT1N3V0JQT05XbUkzN1BCVTIycXFyMWE3d1Y3Z0lJOGg3WS8waDNDYjFYWjZsQ2FzOCt0emI3VFZNMGxWQwpINWNYaXRqM2xKS1B1b2VzOXpTNFhEQjQ0V1hwZkw4SFVXQ1NuSWF2ZVJYUHhwbDRJbUVDZ2dFQkFQMjJEZml3CmVaRDBSTzlManJSR2cxODJlNnNSZ052VUQrOTFjUnBRNFBDcnlKQm1tTmNWOFBNZVdoZFlPaHdCWW1JMjkyWkkKcjFyeHVwclBCdE43dTNnWmhKYkVXL1IvSFozc2lPSmNycHlhejBVNUpDSzRTOERSbkdnUUdOQUdJNFlsVUNxNwpLL2JOa0JLcnRpSEVpOWV6RGQ3SjIrRGJGK0FiSXNWdlNnNnNHdEp1TG8rY0VRUzFaNzkycTQ5NUt6dWJyUDhvClVIbWFuc1R1ZEtLL1lZY0dlcU9pS2V0bmgrK0ZUc0hXek1NTEJ3VllySVlZRHZ5RWUvZEFkNWUzM3ZTRSsrbXkKZEVaVkZidVRMQmdzSW4wM0dmZ1pnNE56QkNhSm9NZGJtU3NiaUxGMkRTL1g4eXNKNldLYzdVTFMwMXJwSjBLTgo0VldQNjhiZlZOd1YwbmtDZ2dFQkFPSnlKaVN5aGJrL1hEVjRzT2ZLS1BBQ3RJTkN0ZWk2OWpYVVVOUHNhQndNCjFMNURCOU5tNjhLb3piVTN1Rk9QbmRPZERrMms5cm5WS1JkSlYrTHhPQ2NEdE5aMzlGQ3JtbUs3TGc4TnBUM2cKVksxc29YamFtcGI3NU1LWjZzaGFIUDRFUUMvTVVoeVF1UXkydEtUS3JMYUNFRmdzR1RhRHFaOU9xMVdIZzhWNwoxdUkzak8xYnNzNFRQWjJxbXVOYjE0WEMzQnJaeDE4eWY3MnJZMEk5RTAxdXorUmp4VUdSK0E3dlloSklYVWtMCmtzQTJqV1ludktsVmZRRWJpWlVpcjQ0d2IraEZ4Z3JwcVBvSmNCTzgvdS9UYXZ3MjFqbjFkRys3NWZqZnI5M3UKRjExbUh2VVY2Z0RJenN4NDVicDVDek5oUmdTTHNRZk9INFdpdytIcUNrTUNnZ0VCQU1UZGtFZkpmL3IzWDhvaQo0ZStHeTRlRStqOEtqT2VHekhxdHNYNlBCWXdhYjcyRXJ0SXV4MUdPMnE5RW1ZcURsSGpMVi9zNUtVQXpVKzJ0CitRaisrTCsvWlQrcnpBS1M1RU5YZC92Vm1QUVJ1QVZweWwxYWpnVm5ZS3JxMnFZSUxXWjQ2NVRNdWRkL09HMFUKYW5ZWFViK2t3MzE5T3ExbXRFY0VKMTMxOWd3ZWhZMkZTNEhKd3ZiWllGQ1QzNW1ybHQxZzljTGo0RllMb1drRAo4dU1hQjY1RFc4US9IN0gzR3ViRGxSSVovN2JVaHJVaVVuU1dsSUppdHVKclZxRVdYdDF6bHhtR2pHekt0dHRlCjNwYy9IOS96Y3FZdC9mdHdzdWJJWWtadkVCSUFBbmhaTnZCSjYva1liczFESVdONXZlRE1DOWU3eWY2ZmQzOVEKYWtPQWQxa0NnZ0VCQUpCQ2RraFVydHBJSWg4eWgwanpRa2M5QWZESlZBZ3k2MTE1cUJDS2YveTJzK1dONEhOdQpFdTROQ2hmVHFvc1phRXVDdDdVQlRla3ZnaUVDcVltN2NMRnlMQWVobmJTeXpnVHVDRGF3MDc5cXBhZGlHREJjCjI3VXFQaDgzWFJwTVJrSVJSUzd1TkxWY0FYZTNBYmdtSWdlWExvQnRmNVo2SkZxSURLRE5WMFk5VWJVRi9MTE8KQTBoRGU3SnhHSUdWWmVVaU1ZU3RqdFQzMytkZVF6clVtL0p0a09XSUpnZFN6YnYrQnZWc3dua2hkVmtjcDlJWApxSm9jQ3lua2VDN1pUUXdCa1psZ3NmMEx4SW1kNzVlemhKb1dqd2FraksrWnpwYk1Gb01KUmduVmYyOFIrdERhCktCeGQwVmowQUM1ZXBLTVQ2ajVGRy8vRDhkTDUwVjZmOGU4Q2dnRUJBTWgreklJb3FKZWlXTGgzOUFtTTRQZEkKSFNod0lISXBUNUhGS05jOTFzRnRDZFdXVDIweXVPZHNLZU9TTDZjMjJsVFpjcklFZFlDY0Q5SVhyWm8xVmxXOAorSGFmNDFhcHhlaU1PZVBNR3ZlNEQ2ZEdrUXcyWXBuNXlOQUUwYk1qa1hFU3JuMzMvV3JqSFFtWFdvNmFSdnVZCnkrMktzbGwvK1BzajlwNXd3WVYxRGp0QzFXU0lmdFZNMkJuRlViQVVyMmNHSVNXWlNnWU9yUDU1elZKK3REeloKSXhrMDZ6TUNZU3pEL1pPTUJZSjUvTFFPWnlPUUs0R2xnMytUUUNXUERHNTRtUEo0dElmNUZCZ25wSU5QRGNLQwpLc2RTQlg4S0xNeU83aEVzOCtuZFRWNWlxa0pscGNCdVJ3VXVUSmlFakc0MWZnaXZPVThTR0V5elZPbW1NNG89Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

After doing Base64 decode I got the RSA PRIVATE KEY

-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEA4GvZNSkj5iiWb2DZM2fCx5bGGYgwaK4SMsyI8K8oFQepL13Y
ROXKw5S+lELH9AetTdcTAdkbCzyapSdk3PqwxhCaf4knvKeRi76csG6mc0krx1GI
tY65X+Nq0qaRvLdOObFQGmIHx75zkZ654+ftvnvCY5OPjV44Lktu1wlrBmr225QS
FbIa8A96BSpJzKm0ahK+6r8VvvOq1BHGZIIKKGQ7/zLuxPOn+c3wCF0VQY20Y4Xo
o+DVt/+0MI8OZvdAuab2UXub+TiwAgG768ynJPh7eklLtdtA1BGglXmoER4xvhhX
QsORtTi60FZPX7C3V1rlUe+rU9BY6ClrWleJtgBf1XR/tBmLdfB4YVnKtzB7vLCl
OKultaduSVnfv8C0uz1zPBZIwXnsVO7XySVPAJBT8PVGR3kbg9nEDk/rVlKYMInD
SO8SHNyKO+k6pThmamoqMBJBCpcC+G1UPUqYeuK8w66ZSpKWfPctmYebPskiJbKe
OrHVU2Dj7zzdimL2behqSwSi3zAklWf4FSAzh/4zpD4Wq3ICwcXlPqa59OB0qqAC
x5AmEFlvQuUI0q6wZ6vrlAYK+Mdm4DvFAUlXs5mfl6OFvtbFSdqurE6ItNVyRVQA
lzXWmhC8GrWBIht1OJLWDKO5lvZmJQ/lk7bsUr4+2+NNnssMpnMB6C+Iz6sCAwEA
AQKCAgEAhCG7fzs7sbVP7T++Yi/DVLQG6t1ucxOaD2KxddQK62bZS9QbE2WgXkrj
cnNnOtySQvRQcpQbAiCqhHaPQjQvhE4eSNy+EqsuXHLb2l0rj1ETf4UX0p23syc4
q9H6mHvsiLdHDGGPZyFQ9fnYRME3DyHar7ofmQJSXZ94IQ+gfeTYdyvVAgUdKx5R
n1zomqGIYbOryJa8/PKGL9pPTrnptSJe2MBqKHe0/LUtkB8N9syx2q7q7CHiczUQ
KE7yEdmduDD/cbYvfSrNJkFTHWAfQPsz6Cnjc60lnDbMr3UzaPC4JM48AkkXLvW5
uBQ5I4PuTnZr8jQEUZKn5fkNBeHoZ69YUZvygNpbQiS1Z/BG60T5Y7UOcOpYRvl+
/GR5AR6zYARJm0J6h7SclthKJ7ZVqeueySpuPofN84Wn5fmfmglGatvW8+1FGfME
iXlGo8GCVrjjs7MwkJLOresIQnQV+vfX/y6OVDLLKmrxbBOpOrnS+Mbrqh9plDaH
K57ENVx3YlUwc7lTGwd6q/gVxRX6QsQwTIyPuN9J31gtutBy/EMUFsXIzraFdHC8
eueOSwWBPONWmI37PBU22qqr1a7wV7gII8h7Y/0h3Cb1XZ6lCas8+tzb7TVM0lVC
H5cXitj3lJKPuoes9zS4XDB44WXpfL8HUWCSnIaveRXPxpl4ImECggEBAP22Dfiw
eZD0RO9LjrRGg182e6sRgNvUD+91cRpQ4PCryJBmmNcV8PMeWhdYOhwBYmI292ZI
r1rxuprPBtN7u3gZhJbEW/R/HZ3siOJcrpyaz0U5JCK4S8DRnGgQGNAGI4YlUCq7
K/bNkBKrtiHEi9ezDd7J2+DbF+AbIsVvSg6sGtJuLo+cEQS1Z792q495KzubrP8o
UHmansTudKK/YYcGeqOiKetnh++FTsHWzMMLBwVYrIYYDvyEe/dAd5e33vSE++my
dEZVFbuTLBgsIn03GfgZg4NzBCaJoMdbmSsbiLF2DS/X8ysJ6WKc7ULS01rpJ0KN
4VWP68bfVNwV0nkCggEBAOJyJiSyhbk/XDV4sOfKKPACtINCtei69jXUUNPsaBwM
1L5DB9Nm68KozbU3uFOPndOdDk2k9rnVKRdJV+LxOCcDtNZ39FCrmmK7Lg8NpT3g
VK1soXjampb75MKZ6shaHP4EQC/MUhyQuQy2tKTKrLaCEFgsGTaDqZ9Oq1WHg8V7
1uI3jO1bss4TPZ2qmuNb14XC3BrZx18yf72rY0I9E01uz+RjxUGR+A7vYhJIXUkL
ksA2jWYnvKlVfQEbiZUir44wb+hFxgrpqPoJcBO8/u/Tavw21jn1dG+75fjfr93u
F11mHvUV6gDIzsx45bp5CzNhRgSLsQfOH4Wiw+HqCkMCggEBAMTdkEfJf/r3X8oi
4e+Gy4eE+j8KjOeGzHqtsX6PBYwab72ErtIux1GO2q9EmYqDlHjLV/s5KUAzU+2t
+Qj++L+/ZT+rzAKS5ENXd/vVmPQRuAVpyl1ajgVnYKrq2qYILWZ465TMudd/OG0U
anYXUb+kw319Oq1mtEcEJ1319gwehY2FS4HJwvbZYFCT35mrlt1g9cLj4FYLoWkD
8uMaB65DW8Q/H7H3GubDlRIZ/7bUhrUiUnSWlIJituJrVqEWXt1zlxmGjGzKttte
3pc/H9/zcqYt/ftwsubIYkZvEBIAAnhZNvBJ6/kYbs1DIWN5veDMC9e7yf6fd39Q
akOAd1kCggEBAJBCdkhUrtpIIh8yh0jzQkc9AfDJVAgy6115qBCKf/y2s+WN4HNu
Eu4NChfTqosZaEuCt7UBTekvgiECqYm7cLFyLAehnbSyzgTuCDaw079qpadiGDBc
27UqPh83XRpMRkIRRS7uNLVcAXe3AbgmIgeXLoBtf5Z6JFqIDKDNV0Y9UbUF/LLO
A0hDe7JxGIGVZeUiMYStjtT33+deQzrUm/JtkOWIJgdSzbv+BvVswnkhdVkcp9IX
qJocCynkeC7ZTQwBkZlgsf0LxImd75ezhJoWjwakjK+ZzpbMFoMJRgnVf28R+tDa
KBxd0Vj0AC5epKMT6j5FG//D8dL50V6f8e8CggEBAMh+zIIoqJeiWLh39AmM4PdI
HShwIHIpT5HFKNc91sFtCdWWT20yuOdsKeOSL6c22lTZcrIEdYCcD9IXrZo1VlW8
+Haf41apxeiMOePMGve4D6dGkQw2Ypn5yNAE0bMjkXESrn33/WrjHQmXWo6aRvuY
y+2Ksll/+Psj9p5wwYV1DjtC1WSIftVM2BnFUbAUr2cGISWZSgYOrP55zVJ+tDzZ
Ixk06zMCYSzD/ZOMBYJ5/LQOZyOQK4Glg3+TQCWPDG54mPJ4tIf5FBgnpINPDcKC
KsdSBX8KLMyO7hEs8+ndTV5iqkJlpcBuRwUuTJiEjG41fgivOU8SGEyzVOmmM4o=
-----END RSA PRIVATE KEY-----

Impact:

RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.

commented

Demo application used for pipelines - this is not a issue. Closing.