Recently I have had a very interesting problem at work. I started my new microservice which uses encrypted,
git-based properties and I noticed the following exception in logs:
As you can see above, I use a module config from micro-infra-spring library.
I am a coauthor of this module and I can honestly tell you that git-based properties are great.
You can find more details about this mechanism on wiki.
But let’s come back to our exception. When I entered a debugger, I noticed that my password was
encoded as “abcdhimBHefgh}xyz” instead of “abcd$-efgh$2}xyz” (passwords are simplified for the
purpose of this article).
I thought: “What the hell?” The prefix and suffix of password were ok, but the medium part was incorrect.
I used a Ruby script, which is a part of micro-infra-spring, to encrypt the password:
and then to decrypt it:
Btw. You should remove these commands from your Bash history, if you use real passwords.
The password was the same as in a debugger. At this moment I knew that there was something wrong with
the script aes.rb or the way it was called.
If you look very closely at the difference between these two passwords, you can find two things:
$- was changed into himBH
$2 was changed into an empty string
At this moment you can recall that you can put variables in Bash string (like in Groovy language):
Do you get it? You should solve at least one puzzle now. There is no $2 variable, so it is translated
into an empty string.
Ok, if you have some experience with Bash, you should probably know variables like:
$1, $2, $3 - positional parameters
$# - number of parameters
$@ - array representation of parameters
$0 - name of the shell or shell script
But have you ever heard of $- variable? Let’s check:
If you are smarter than me, you can try to google “himBH”, otherwise when searching for “$-“ you
can be out of luck. Fortunately, there is a SymbolHound search engine that
can do it pretty well.
$- is a variable which keeps shell flags. It was tricky, wasn’t it?
To fix the issue, you can escape all dollars:
or use a single quotation mark:
Double quotes allow expansion of variables within the quotes, and single quotes don’t.
I decided to use a single quotation mark and changed examples in documentation
The conclusion is simple: “Don’t use a dollar sign in your application passwords” or be very careful
and use a single quotation mark when encrypting it.