Fixes Ifw writing passwords to EventLog for failed command execution (#…

…774) Fixes EventLog error handling by no longer parsing command arguments to ensure passwords are not stored on the EventLog, unless the debug mode of Icinga for Windows is enable
Icinga · Jan 29, 2025 · ed0770e · ed0770e
1 parent 336b38d
commit ed0770e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -11,6 +11,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 ### Bugfixes
 
+* [#754](https://github.com/Icinga/icinga-powershell-framework/issues/754) Fixes EventLog error handling by no longer parsing command arguments to ensure passwords are not stored on the EventLog, unless the debug mode of Icinga for Windows is enable
 * [#759](https://github.com/Icinga/icinga-powershell-framework/pull/759) Fixes maximum cache duration for service daemons to the right value
 * [#773](https://github.com/Icinga/icinga-powershell-framework/pull/773) Fixes REST-Api invoke command `Invoke-IcingaForWindowsRESTApi` by removing CA certificate check
 

diff --git a/lib/core/framework/Invoke-IcingaInternalServiceCall.psm1 b/lib/core/framework/Invoke-IcingaInternalServiceCall.psm1
@@ -61,12 +61,18 @@ function Invoke-IcingaInternalServiceCall()
     Set-IcingaTLSVersion;
     Enable-IcingaUntrustedCertificateValidation -SuppressMessages;
 
+    # For security reasons, we will not log the arguments in case of an error, only in debug mode
+    $ErrorArguments = '';
+    if ($Global:Icinga.Protected.DebugMode) {
+        $ErrorArguments =  $Arguments;
+    }
+
     # Now queue the check inside our REST-Api
     try {
         $ApiResult = Invoke-WebRequest -Method POST -UseBasicParsing -Uri ([string]::Format('https://localhost:{0}/v1/checker?command={1}', $RestApiPort, $Command)) -Body (ConvertTo-JsonUTF8Bytes -InputObject $Arguments -Depth 100 -Compress) -ContentType 'application/json' -TimeoutSec $Timeout;
     } catch {
         # Fallback to execute plugin locally
-        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -ExceptionObject $_ -Objects $Command, $Arguments;
+        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -ExceptionObject $_ -Objects $Command, $ErrorArguments;
         return $NULL;
     }
 
@@ -76,12 +82,12 @@ function Invoke-IcingaInternalServiceCall()
 
     # In case we didn't receive a check result, fallback to local execution
     if ([string]::IsNullOrEmpty($IcingaResult.$Command.checkresult)) {
-        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -Objects 'The check result for the executed command was empty', $Command, $Arguments;
+        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -Objects 'The check result for the executed command was empty', $Command, $ErrorArguments;
         return $NULL;
     }
 
     if ([string]::IsNullOrEmpty($IcingaResult.$Command.exitcode)) {
-        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -Objects 'The check result for the executed command was empty', $Command, $Arguments;
+        Write-IcingaEventMessage -Namespace 'Framework' -EventId 1553 -Objects 'The check result for the executed command was empty', $Command, $ErrorArguments;
         return $NULL;
     }