MB-53550 [BP] Don't leak cookie in master-password

jamesl33 · jamesl33 · commit d1178b7b71f2 · 2022-11-30T16:47:05.000Z
Instead set it as an enviornment variable and use `-eval` to set it from the variable. Change-Id: I453dcc7d62995cc4dd91792e69eda68c100a9b53 Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/172295 Tested-by: Build Bot <build@couchbase.com> Reviewed-by: James Lee <james.lee@couchbase.com> Well-Formed: Restriction Checker Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/182192 Reviewed-by: Maksimiljans Januska <maks.januska@couchbase.com>
diff --git a/cbmgr.py b/cbmgr.py
@@ -1509,11 +1509,11 @@ def prompt_for_master_pwd(self, node, cookie, password, cb_cfg_path):
             '-proto_dist', 'cb',
             '-epmd_module', 'cb_epmd',
             '-kernel', 'inetrc', f'"{inetrc_file}"', 'dist_config_file', f'"{dist_cfg_file}"',
-            '-setcookie', cookie,
+            '-eval' 'erlang:set_cookie(list_to_atom(os:getenv("CB_COOKIE"))).',
             '-run', 'encryption_service', 'remote_set_password', node,
         ]
 
-        rc, out, err = self.run_process("erl", args, extra_env={'SETPASSWORD': password})
+        rc, out, err = self.run_process("erl", args, extra_env={'SETPASSWORD': password, 'CB_COOKIE': cookie})
         if rc == 0:
             print("SUCCESS: Password accepted. Node started booting.")
         elif rc == 101:
