Summary
The env field (Property<Map<String,String>>) is the primary mechanism for passing secrets such as CLOUDQUERY_API_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY into the CloudQuery process, as shown in the plugin's own examples. The class carries @tostring at line 19 with no @ToString.Exclude on the env field and no onlyExplicitlyIncluded=true guard. Lombok's generated toString() will serialize the entire map including plaintext secret values. All three concrete classes (AbstractCloudQueryCommand, Sync, CloudQueryCLI) inherit or replicate this @tostring and expose the same field.
Severity
HIGH — CWE-312 / CWE-532 / OWASP ASVS V7.1.1
Standards
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-532: Insertion of Sensitive Information into Log File
- OWASP ASVS V7.1.1: Verify that the application does not log credentials or payment details
Affected Code
File: src/main/java/io/kestra/plugin/cloudquery/AbstractCloudQueryCommand.java (line 31)
// Evidence:
Line 19: `@ToString` on AbstractCloudQueryCommand; line 31: `protected Property<Map<String, String>> env;` with @PluginProperty(group = "execution") but no @ToString.Exclude. Plugin examples at Sync.java lines 59-97 show CLOUDQUERY_API_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY passed via this field.
Threat Scenario
An attacker or insider with access to application logs or debug output can retrieve plaintext cloud credentials (such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and CLOUDQUERY_API_KEY) from Lombok-generated toString() output. When the task object is serialized for logging, debugging, or error reporting, the full contents of the env map are exposed, giving the attacker everything needed to authenticate against cloud provider APIs and exfiltrate or modify cloud resources.
Remediation
Add @ToString.Exclude to the env field in AbstractCloudQueryCommand, or switch to @tostring(onlyExplicitlyIncluded = true) and explicitly annotate safe fields with @ToString.Include. Because Sync and CloudQueryCLI both extend AbstractCloudQueryCommand, fixing the base class protects all subclasses.
Acceptance Criteria
Fix
Kestra Plugin Coding Standards
References
Part of security audit EPIC: #169
View full audit report as Artifact
Summary
The
envfield (Property<Map<String,String>>) is the primary mechanism for passing secrets such as CLOUDQUERY_API_KEY, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY into the CloudQuery process, as shown in the plugin's own examples. The class carries @tostring at line 19 with no @ToString.Exclude on the env field and no onlyExplicitlyIncluded=true guard. Lombok's generated toString() will serialize the entire map including plaintext secret values. All three concrete classes (AbstractCloudQueryCommand, Sync, CloudQueryCLI) inherit or replicate this @tostring and expose the same field.Severity
HIGH — CWE-312 / CWE-532 / OWASP ASVS V7.1.1
Standards
Affected Code
File:
src/main/java/io/kestra/plugin/cloudquery/AbstractCloudQueryCommand.java(line 31)Threat Scenario
An attacker or insider with access to application logs or debug output can retrieve plaintext cloud credentials (such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and CLOUDQUERY_API_KEY) from Lombok-generated toString() output. When the task object is serialized for logging, debugging, or error reporting, the full contents of the
envmap are exposed, giving the attacker everything needed to authenticate against cloud provider APIs and exfiltrate or modify cloud resources.Remediation
Add @ToString.Exclude to the
envfield in AbstractCloudQueryCommand, or switch to @tostring(onlyExplicitlyIncluded = true) and explicitly annotate safe fields with @ToString.Include. Because Sync and CloudQueryCLI both extend AbstractCloudQueryCommand, fixing the base class protects all subclasses.Acceptance Criteria
Fix
Kestra Plugin Coding Standards
Property<T>— no legacy@PluginProperty(dynamic = true)on new code@PluginProperty(secret = true)runContext.logger()only — no sensitive data in log statements./gradlew buildReferences
Part of security audit EPIC: #169
View full audit report as Artifact