PLAID-SECRET is leaked in error objects

Question

PLAID-SECRET is leaked in error objects

meshuamam opened this issue 2 years ago · comments

When receiving a 400 error, using the Plaid client, the error thrown will contain the PLAID-SECRET key. Since it's a common practice to log an error object, this will often result in PLAID-SECRET being leaked to logs.

Consider the following scenario:

const configuration = new Configuration({
      basePath: this.config.basePath,
      baseOptions: {
        headers: {
          'PLAID-CLIENT-ID': this.config.clientId,
          'PLAID-SECRET': this.config.secret,
        },
      },
    })

    this.client = new PlaidApi(configuration)

try {
      const response = await this.client.linkTokenCreate({
        client_name: clientName,
        country_codes: [CountryCode.Us],
        language: 'en',
        user: {
          client_user_id: clientUserId,
        },
        products: this.config.products,
      })

      this.logger.info('Plaid link token created', {
        clientName,
        env: this.config.environment,
      })

      return response.data.link_token
    } catch (err) {
      this.logger.error(err)
      throw err
    }

In this case, if we receive a 400 from the server (for example because the client_user_id is missing, or any other reason), err.config.headers will include PLAID-SECRET.
I haven't tested this with other error codes.

Alex · Answer 1 · Tue Feb 07 2023 08:16:11 GMT+0800 (China Standard Time)

Thank you for the report! I have sent this to our security team for prioritization. We will be primarily tracking work on this issue on our internal tracker, but I have subscribed to the issue in our internal Jira and will do my best to remember to update it here once it's fixed.

Don Leistman · Answer 2 · Fri May 12 2023 22:52:50 GMT+0800 (China Standard Time)

@phoenixy1 Any updates from the security team? I stumbled upon this issue and found that it affects us as well.

If removing the secret from the error response is not possible or will take a while, it would be good to at least put a page in the docs warning against logging the full error.

Alex · Answer 3 · Fri May 12 2023 23:14:13 GMT+0800 (China Standard Time)

@donleistman Security evaluated this issue and agreed it should be fixed, but at a priority level that does not have an SLA associated, so we don't have an ETA to share on the fix. I'll update the README as suggested.

Don Leistman · Answer 4 · Mon May 15 2023 23:42:36 GMT+0800 (China Standard Time)

Thanks @phoenixy1 ! Much appreciated

Don Leistman · Answer 5 · Wed May 31 2023 22:43:16 GMT+0800 (China Standard Time)

Hey @phoenixy1 I noticed that the warning you added to the README was removed. Do you know if the issue was fixed?

Alex · Answer 6 · Thu Jun 01 2023 04:35:17 GMT+0800 (China Standard Time)

Sorry, the issue was that I forgot that the README files are generated from a template so the changes got overwritten when the README was regenerated. I've made the update to the template file for the README so it'll get propagated the next time it gets regenerated.