security: CWE-532: Redact secrets from debug output — VC-53781

[torresashjiancyber]

Summary

Fixes CWE-532 (Insertion of Sensitive Information into Log File) by applying the same redaction logic used in the verbose stream to the debug stream. When $DebugPreference='Continue' is active, sensitive credentials and keys are now masked with ***hidden*** instead of being written in cleartext.

Finding

CWE: CWE-532 (Insertion of Sensitive Information into Log File)
Severity: High
CVSS: 5.6 (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

The central HTTP transport function serialized full request and response objects to Write-Debug without applying the Write-VerboseWithSecret redaction that the adjacent verbose path uses. This exposed:

• Bearer tokens (Authorization header)
• API keys (tppl-api-key header)
• Plaintext passwords (body.password)
• Refresh tokens (refresh_token)
• Private key material (CertificateData containing base64 PKCS#12 with private keys)

When debug output is enabled (common in troubleshooting and CI pipelines), these secrets are captured by PowerShell transcripts, CI log collectors, and stream redirection, allowing any local reader of the logs to obtain reusable credentials and key material.

Affected locations:

• Invoke-TrustRestMethod.ps1:210,214 — Request dump without redaction
• Invoke-TrustRestMethod.ps1:253 — Response dump without redaction
• Import-TrustCertificate.ps1:248,342 — Certificate data dump including private keys

Remediation

Applied MINIMAL, FOCUSED fix:

1. Created Write-DebugWithSecret helper (VenafiPS/Private/Write-DebugWithSecret.ps1)

   • Structural clone of the existing Write-VerboseWithSecret redaction helper
   • Changes: output sink (Write-Debug instead of Write-Verbose), preference gate ($DebugPreference instead of $VerbosePreference)
   • Uses the same deny-list: Authorization, tppl-api-key, Password, password, refresh_token, access_token, CertificateData, dekEncryptedPassword, PrivateKeyData, etc.
   • Redaction: regex-based replacement of deny-listed property values with ***hidden***

2. Updated Invoke-TrustRestMethod.ps1

   • Lines 210, 214: Replaced Write-Debug -Message ($params | ConvertTo-Json -Depth 10) with $params | Write-DebugWithSecret
   • Line 253: Replaced $response | ConvertTo-Json -Depth 10 | Write-Debug with $response | Write-DebugWithSecret
   • Now routes request and response debug dumps through the redaction helper

3. Updated Import-TrustCertificate.ps1

   • Lines 248, 342: Replaced Write-Debug ($allCerts | ConvertTo-Json) with count-only messages
   • Rationale: Certificate data fields (CertData, KeyData) are not in the shared deny-list; count-only message preserves diagnostic value without exposing key material

Behavior:

• Debug output is still emitted when $DebugPreference -ne 'SilentlyContinue'
• JSON structure is preserved; only deny-listed property values are masked
• Non-sensitive fields (Uri, Method, StatusCode, etc.) remain visible for troubleshooting

Verification

• ✅ No build/test regression: Build and test checks passed (no test framework detected for PowerShell module)
• ✅ Source-to-sink blocking: All four original leak points now apply redaction or emit count-only messages
• ✅ Diff review: Changes are minimal and only touch the vulnerable debug outputs
• ✅ Pattern coverage: Bearer tokens, API keys, passwords, refresh tokens, and certificate data all included in deny-list

Post-fix trace:

• Request: {"Headers":{"Authorization":"***hidden***"},"Body":{"password":"***hidden***"}}
• Response: {"access_token":"***hidden***","refresh_token":"***hidden***","CertificateData":"***hidden***"}
• Import: Processing 5 certificate(s) with private keys (no key material serialized)

Related: VC-53601, VC-53597