mirror of
https://github.com/juanfont/headscale.git
synced 2026-01-12 04:10:32 +01:00
Headscale logs bearer tokens #439
Closed
opened 2025-12-29 01:29:21 +01:00 by adam
·
13 comments
No Branch/Tag Specified
main
update_flake_lock_action
gh-pages
kradalby/release-v0.27.2
dependabot/go_modules/golang.org/x/crypto-0.45.0
dependabot/go_modules/github.com/opencontainers/runc-1.3.3
copilot/investigate-headscale-issue-2788
copilot/investigate-visibility-issue-2788
copilot/investigate-issue-2833
copilot/debug-issue-2846
copilot/fix-issue-2847
dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0
dependabot/go_modules/github.com/docker/docker-28.3.3incompatible
kradalby/cli-experiement3
doc/0.26.1
doc/0.25.1
doc/0.25.0
doc/0.24.3
doc/0.24.2
doc/0.24.1
doc/0.24.0
kradalby/build-docker-on-pr
topic/docu-versioning
topic/docker-kos
juanfont/fix-crash-node-id
juanfont/better-disclaimer
update-contributors
topic/prettier
revert-1893-add-test-stage-to-docs
add-test-stage-to-docs
remove-node-check-interval
fix-empty-prefix
fix-ephemeral-reusable
bug_report-debuginfo
autogroups
logs-to-stderr
revert-1414-topic/fix_unix_socket
rename-machine-node
port-embedded-derp-tests-v2
port-derp-tests
duplicate-word-linter
update-tailscale-1.36
warn-against-apache
ko-fi-link
more-acl-tests
fix-typo-standalone
parallel-nolint
tparallel-fix
rerouting
ssh-changelog-docs
oidc-cleanup
web-auth-flow-tests
kradalby-gh-runner
fix-proto-lint
remove-funding-links
go-1.19
enable-1.30-in-tests
0.16.x
cosmetic-changes-integration
tmp-fix-integration-docker
fix-integration-docker
configurable-update-interval
show-nodes-online
hs2021
acl-syntax-fixes
ts2021-implementation
fix-spurious-updates
unstable-integration-tests
mandatory-stun
embedded-derp
prtemplate-fix
v0.28.0-beta.1
v0.27.2-rc.1
v0.27.1
v0.27.0
v0.27.0-beta.2
v0.27.0-beta.1
v0.26.1
v0.26.0
v0.26.0-beta.2
v0.26.0-beta.1
v0.25.1
v0.25.0
v0.25.0-beta.2
v0.24.3
v0.25.0-beta.1
v0.24.2
v0.24.1
v0.24.0
v0.24.0-beta.2
v0.24.0-beta.1
v0.23.0
v0.23.0-rc.1
v0.23.0-beta.5
v0.23.0-beta.4
v0.23.0-beta3
v0.23.0-beta2
v0.23.0-beta1
v0.23.0-alpha12
v0.23.0-alpha11
v0.23.0-alpha10
v0.23.0-alpha9
v0.23.0-alpha8
v0.23.0-alpha7
v0.23.0-alpha6
v0.23.0-alpha5
v0.23.0-alpha4
v0.23.0-alpha4-docker-ko-test9
v0.23.0-alpha4-docker-ko-test8
v0.23.0-alpha4-docker-ko-test7
v0.23.0-alpha4-docker-ko-test6
v0.23.0-alpha4-docker-ko-test5
v0.23.0-alpha-docker-release-test-debug2
v0.23.0-alpha-docker-release-test-debug
v0.23.0-alpha4-docker-ko-test4
v0.23.0-alpha4-docker-ko-test3
v0.23.0-alpha4-docker-ko-test2
v0.23.0-alpha4-docker-ko-test
v0.23.0-alpha3
v0.23.0-alpha2
v0.23.0-alpha1
v0.22.3
v0.22.2
v0.23.0-alpha-docker-release-test
v0.22.1
v0.22.0
v0.22.0-alpha3
v0.22.0-alpha2
v0.22.0-alpha1
v0.22.0-nfpmtest
v0.21.0
v0.20.0
v0.19.0
v0.19.0-beta2
v0.19.0-beta1
v0.18.0
v0.18.0-beta4
v0.18.0-beta3
v0.18.0-beta2
v0.18.0-beta1
v0.17.1
v0.17.0
v0.17.0-beta5
v0.17.0-beta4
v0.17.0-beta3
v0.17.0-beta2
v0.17.0-beta1
v0.17.0-alpha4
v0.17.0-alpha3
v0.17.0-alpha2
v0.17.0-alpha1
v0.16.4
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.16.0-beta7
v0.16.0-beta6
v0.16.0-beta5
v0.16.0-beta4
v0.16.0-beta3
v0.16.0-beta2
v0.16.0-beta1
v0.15.0
v0.15.0-beta6
v0.15.0-beta5
v0.15.0-beta4
v0.15.0-beta3
v0.15.0-beta2
v0.15.0-beta1
v0.14.0
v0.14.0-beta2
v0.14.0-beta1
v0.13.0
v0.13.0-beta3
v0.13.0-beta2
v0.13.0-beta1
upstream/v0.12.4
v0.12.4
v0.12.3
v0.12.2
v0.12.2-beta1
v0.12.1
v0.12.0-beta2
v0.12.0-beta1
v0.11.0
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.1
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.6
v0.3.5
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.1
v0.1.0
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
Mirrored from GitHub Pull Request
No Label
bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/headscale#439
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @apollo13 on GitHub (Mar 11, 2023).
Bug description
Looking at the headscale logs, it logs this at info level when accessing the HTTP api:
This includes the whole bearer token. It would be great if the credentials wouldn't get logged :)
@github-actions[bot] commented on GitHub (Sep 26, 2023):
This issue is stale because it has been open for 180 days with no activity.
@apollo13 commented on GitHub (Sep 26, 2023):
/unstale
On Tue, Sep 26, 2023, at 03:44, github-actions[bot] wrote:
@disconn3ct commented on GitHub (Oct 19, 2023):
This is a security exposure, in security software. Is it on the radar for a fix?
@almereyda commented on GitHub (Oct 19, 2023):
Would you like to contribute a PR which fixes the perceived regression? I think the maintainers accept contributions again.
The readme clearly states that this is a project for "self-hosters and hobbyists".
If you have specific security requirements, it's probably better to switch to the commercial Tailscale offer.
@disconn3ct commented on GitHub (Oct 20, 2023):
Is that the official response from the project to this security report? I am more than willing to get it a CVE if that helps.
@almereyda commented on GitHub (Oct 20, 2023):
This is not an official response, since I am not an official maintainer. This is just how I understand the situation personally.
@apollo13 commented on GitHub (Oct 20, 2023):
Hi @disconn3ct, also not a maintainer but please don't try to get a CVE. You are apparently operating under the assumption that a project has to live up to certain security standards. This is not necessarily the case (I have no idea what the security policy for headscale is) and no one forces you to use headscale. Threatening to issue a CVE will usually only have the effect of getting completely ignored.
If you want to invest your time productively, you could check if this issue is actually still an issue (I don't know I don't use headscale anymore) and if yes try to come up with a patch.
@disconn3ct commented on GitHub (Oct 20, 2023):
and yet here you are, LARPing as one. Maybe you should let the actual maintainers have a chance to respond.
@disconn3ct commented on GitHub (Nov 11, 2023):
@juanfont fyi https://www.cve.org/CVERecord?id=CVE-2023-47390 was assigned
@masterwishx commented on GitHub (Feb 29, 2024):
using v 0.22.3 i have a lot of this when moved to goodieshq/headscale-admin from headscale-ui
@disconn3ct commented on GitHub (Feb 29, 2024):
Same here. @kradalby can you please reopen this? Or would you prefer a new bug (and new CVE)
headscale-59b8474d86-q55x6 headscale 2024-02-29T14:24:43Z INF unary dur=28.159111 md={":authority":"/var/run/headscale/headscale.sock","authorization":"Bearer OHNO_A_BEARER_TOKEN","content-type":"application/grpc","grpcgateway-accept":"application/json","grpcgateway-accept-language":"en-US,en;q=0.5","grpcgateway-authorization":"Bearer OHNO_ANOTHER!_BEARER_TOKEN","grpcgateway-referer":"https://MY.SITE/admin/nodes/","grpcgateway-user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0","user-agent":"grpc-go/1.54.0","x-forwarded-for":"10.108.0.5, 10.244.2.36","x-forwarded-host":"MY.SITE"} method=ListUsers req={} service=headscale.v1.HeadscaleService@apollo13 commented on GitHub (Feb 29, 2024):
Folks, read the ticket history. This is fixed and will be part of 0.23.0
@masterwishx commented on GitHub (Feb 29, 2024):
Sure, I saw it's fixed in latest prerelease fow now... Sorry for this