CA-422448: Write proxy credentials to repo file instead of command line (#6836)

stephenchengCloud · web-flow · commit beed772296dc · 2026-01-19T09:48:54.000Z
DNF5 logs command-line arguments to /var/log/dnf5.log, exposing proxy_password when passed via `dnf config-manager setopt`. Write proxy credentials directly to the .repo file (mode 0o400) and remove them after sync completes to avoid password exposure in logs. Tested： 4530865 CloudRepoUpdate With the fix, threre's no password. ``` # grep password /var/log/dnf5* [root@genus-34-01d ~]# ``` 4530867 CloudRepoUpdate Without the fix, there're passwords in the logs. ``` # grep password /var/log/dnf5* /var/log/dnf5.log:2026-01-14T09:44:42+0000 [33030] INFO --- DNF5 launched with arguments: "/usr/bin/dnf config-manager setopt remote-49e2ea36-154c-9fd4-51bb-4b319d25d05a.proxy=http://10.62.50.94:3128 remote-49e2ea36-154c-9fd4-51bb-4b319d25d05a.proxy_username=debian remote-49e2ea36-154c-9fd4-51bb-4b319d25d05a.proxy_password=JwNm8I2rAxlB" --- /var/log/dnf5.log.1:2026-01-14T09:44:42+0000 [33023] INFO --- DNF5 launched with arguments: "/usr/bin/dnf config-manager setopt remote-9b300a0d-765a-3426-5ad2-0384bc427c28.proxy=http://10.62.50.94:3128 remote-9b300a0d-765a-3426-5ad2-0384bc427c28.proxy_username=debian remote-9b300a0d-765a-3426-5ad2-0384bc427c28.proxy_password=JwNm8I2rAxlB" --- ```
diff --git a/ocaml/tests/test_repository_helpers.ml b/ocaml/tests/test_repository_helpers.ml
@@ -346,8 +346,8 @@ module WriteYumConfig = Generic.MakeStateless (struct
     let gpgkey_path' = Option.value ~default:"" name in
     try
       (* The path of file which will be written by write_yum_config *)
-      write_yum_config ~source_url ~binary_url ~repo_gpgcheck:true
-        ~gpgkey_path:gpgkey_path' ~repo_name ;
+      write_yum_config ~proxy_config:[] ~source_url ~binary_url
+        ~repo_gpgcheck:true ~gpgkey_path:gpgkey_path' ~repo_name ;
       let in_ch = open_in repo_file_path in
       let content = read_from_in_channel "" in_ch in
       close_in in_ch ; finally () ; Ok content
diff --git a/ocaml/xapi/repository.ml b/ocaml/xapi/repository.ml
@@ -224,9 +224,12 @@ let sync ~__context ~self ~token ~token_id ~username ~password =
       | s ->
           s
     in
-    let write_initial_yum_config ~binary_url =
-      write_yum_config ~source_url ~binary_url ~repo_gpgcheck:true ~gpgkey_path
-        ~repo_name
+    let proxy_config =
+      match use_proxy with true -> get_proxy_params ~__context | false -> []
+    in
+    let write_initial_yum_config ~proxy_config ~binary_url =
+      write_yum_config ~proxy_config ~source_url ~binary_url ~repo_gpgcheck:true
+        ~gpgkey_path ~repo_name
     in
     Xapi_stdext_pervasives.Pervasiveext.finally
       (fun () ->
@@ -255,7 +258,7 @@ let sync ~__context ~self ~token ~token_id ~username ~password =
 
         with_sync_client_auth client_auth @@ fun client_auth ->
         with_sync_server_auth server_auth @@ fun binary_url' ->
-        write_initial_yum_config
+        write_initial_yum_config ~proxy_config
           ~binary_url:(Option.value binary_url' ~default:binary_url) ;
         clean_yum_cache repo_name ;
         (* Remove imported YUM repository GPG key *)
@@ -272,15 +275,10 @@ let sync ~__context ~self ~token ~token_id ~username ~password =
           | None ->
               []
         in
-        let proxy_params =
-          match use_proxy with
-          | true ->
-              get_proxy_params ~__context
-          | false ->
-              []
-        in
-        auth_params @ proxy_params |> fun x ->
-        config_repo x ; make_cache () ; sync_repo ()
+        (* Proxy config is now written directly to repo file, so only pass
+         * auth_params to config_repo to avoid exposing credentials in
+         * command-line arguments which get logged by DNF5 *)
+        config_repo auth_params ; make_cache () ; sync_repo ()
       )
       (fun () ->
         (* Rewrite repo conf file as initial content to remove credential
@@ -294,7 +292,8 @@ let sync ~__context ~self ~token ~token_id ~username ~password =
          *)
         match Pkgs.manager with
         | Yum ->
-            write_initial_yum_config ~binary_url
+            (* Write clean config without proxy credentials *)
+            write_initial_yum_config ~proxy_config:[] ~binary_url
         | Dnf ->
             Unixext.unlink_safe !Xapi_globs.dnf_repo_config_file
       ) ;
diff --git a/ocaml/xapi/repository_helpers.ml b/ocaml/xapi/repository_helpers.ml
@@ -310,8 +310,8 @@ let remove_repo_conf_file repo_name =
   in
   Unixext.unlink_safe path
 
-let write_yum_config ~source_url ~binary_url ~repo_gpgcheck ~gpgkey_path
-    ~repo_name =
+let write_yum_config ~proxy_config ~source_url ~binary_url ~repo_gpgcheck
+    ~gpgkey_path ~repo_name =
   let file_path =
     Filename.concat !Xapi_globs.yum_repos_config_dir (repo_name ^ ".repo")
   in
@@ -344,6 +344,7 @@ let write_yum_config ~source_url ~binary_url ~repo_gpgcheck ~gpgkey_path
     ; opt_gpgcheck
     ; opt_gpgkey
     ]
+    @ proxy_config
   in
   let content_of_source =
     match source_url with
@@ -445,8 +446,8 @@ let with_local_repositories ~__context f =
                   s
             in
             remove_repo_conf_file repo_name ;
-            write_yum_config ~source_url:None ~binary_url ~repo_gpgcheck:false
-              ~gpgkey_path ~repo_name ;
+            write_yum_config ~proxy_config:[] ~source_url:None ~binary_url
+              ~repo_gpgcheck:false ~gpgkey_path ~repo_name ;
             clean_yum_cache repo_name ;
             let Pkg_mgr.{cmd; params} =
               [
