Skip to content

[Security] Credential env map included in Lombok @ToString output #170

Description

@fdelbrayelle

Summary

The env field (Property<Map<String,String>>) is the primary mechanism for passing secrets such as CLOUDQUERY_API_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY into the CloudQuery process, as shown in the plugin's own examples. The class carries @tostring at line 19 with no @ToString.Exclude on the env field and no onlyExplicitlyIncluded=true guard. Lombok's generated toString() will serialize the entire map including plaintext secret values. All three concrete classes (AbstractCloudQueryCommand, Sync, CloudQueryCLI) inherit or replicate this @tostring and expose the same field.

Severity

HIGH — CWE-312 / CWE-532 / OWASP ASVS V7.1.1

Standards

  • CWE-312: Cleartext Storage of Sensitive Information
  • CWE-532: Insertion of Sensitive Information into Log File
  • OWASP ASVS V7.1.1: Verify that the application does not log credentials or payment details

Affected Code

File: src/main/java/io/kestra/plugin/cloudquery/AbstractCloudQueryCommand.java (line 31)

// Evidence:
Line 19: `@ToString` on AbstractCloudQueryCommand; line 31: `protected Property<Map<String, String>> env;` with @PluginProperty(group = "execution") but no @ToString.Exclude. Plugin examples at Sync.java lines 59-97 show CLOUDQUERY_API_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY passed via this field.

Threat Scenario

An attacker or insider with access to application logs or debug output can retrieve plaintext cloud credentials (such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and CLOUDQUERY_API_KEY) from Lombok-generated toString() output. When the task object is serialized for logging, debugging, or error reporting, the full contents of the env map are exposed, giving the attacker everything needed to authenticate against cloud provider APIs and exfiltrate or modify cloud resources.

Remediation

Add @ToString.Exclude to the env field in AbstractCloudQueryCommand, or switch to @tostring(onlyExplicitlyIncluded = true) and explicitly annotate safe fields with @ToString.Include. Because Sync and CloudQueryCLI both extend AbstractCloudQueryCommand, fixing the base class protects all subclasses.

Acceptance Criteria

Fix

  • Vulnerability remediated per Remediation section
  • No new instances of the same pattern in the same file or module
  • Test added that validates the secure behavior

Kestra Plugin Coding Standards

  • All new properties use Property<T> — no legacy @PluginProperty(dynamic = true) on new code
  • Secret/credential properties annotated with @PluginProperty(secret = true)
  • Logging via runContext.logger() only — no sensitive data in log statements
  • Build passes with ./gradlew build

References


Part of security audit EPIC: #169
View full audit report as Artifact

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/pluginPlugin-related issue or feature requestkind/securitySecurity-related issue

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions