❓ [inadyn] Addon logs the secret token in cleartext

[rajiteh]

Which addon?

Inadyn
Version: 2.12.0-2

I noticed that when addon is loaded, it prints a warning from /etc/cont-init.d/00-global_var.sh that complains about providers: config being an array along with it's contents. Unfortunately, this array also holds the secret tokens used for provider APIs. This happens even if I declare the config with !secret ... notation that HA expects for sensitive fields.

Starting...
/etc/cont-init.d/00-banner.sh: executing
-----------------------------------------------------------
 Add-on: Inadyn
 Inadyn is a small and simple Dynamic DNS, DDNS, client with HTTPS support. A large number of dynamic dns providers are supported (https://github.com/troglobit/inadyn#supported-providers). For those that are not, you can use a custom provider as per this project's documentation (https://github.com/nalipaz/hassio-addons/blob/master/README.md)
-----------------------------------------------------------
 Add-on version: 2.12.0-2
 You are running the latest version of this add-on.
 System: Home Assistant OS 14.1  (amd64 / qemux86-64)
 Home Assistant Core: 2025.1.4
 Home Assistant Supervisor: 2024.12.3
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums
-----------------------------------------------------------
 Provided by: https://github.com/alexbelgium/hassio-addons 
-----------------------------------------------------------
/etc/cont-init.d/00-global_var.sh: executing
[04:09:35] WARNING: [
  {
    "hostname": "my.domain.com",
    "username": "domain.com",
    "provider": "cloudflare",
    "password": "<PASSWORD IS PRINTED IN CLEARTEXT>",
    "ttl": 60,
    "checkip_command": "/sbin/ip -4 addr show dev enp1s0 | grep inet | awk -F '[ 	]+|/' '{print $3}'"
  }
] is an array, skipping
/etc/cont-init.d/01-config_yaml.sh: executing
/etc/cont-init.d/01-custom_script.sh: executing
Execute /config/*-inadyn/inadyn.sh if existing
Wiki here : github.com/alexbelgium/hassio-addons/wiki/Add-ons-feature-:-customisation
curl: (23) Failure writing output to destination
Error : /etc/cont-init.d/01-custom_script.sh exiting 23
/etc/cont-init.d/99-run.sh: executing
Guessing DDNS plugin '[email protected]' from 'cloudflare'
inadyn[140]: In-a-dyn version 2.12.0 -- Dynamic DNS update client.
inadyn[140]: Guessing DDNS plugin '[email protected]' from 'cloudflare'
inadyn[140]: Update forced for alias my.domain.com, new IP# 192.168.0.1
inadyn[140]: Updating IPv4 cache for my.domain.com

Additionally I also notice this error in the output, but it doesn't seem to cause a problem with actual functionality.

curl: (23) Failure writing output to destination
Error : /etc/cont-init.d/01-custom_script.sh exiting 23

Is there any way to prevent the addon from logging the secret in the output? I can propose the change but I will need a little guidance on what/where to look for. Thanks a bunch!

[alexbelgium]

Hi, I understand because it is an array my global_var code prints it as an error so circumvent the code saying that secrets shouldn't be printed. The solution is to adapt the global_var.sh script to print an error message if array and not the whole array. I can look at it a bit later

However even if it is visually visible it's just still on your device, so as secure as the addon options showing the value one might say : someone would need access to the device (physical as ssh is disabled by default) to read the log which would also allow him to read the config

[rajiteh]

Thanks for making the change. Instead of the array value you could may be print the key in the warning so the user will still know why their field wasn't exported as an env.

The fix you made is good enough for me though, so feel free to close the issue! 💯