Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-882

Password leaks in log

    XMLWordPrintable

Details

    • Standard Bug Write-Up Format
    • CP: sprint 96
    • 1.5
    • Core: Platform
    • Q3 2020

    Description

      Overview:
      Okapi leaks database credentials for the superuser in its logs on loglevel INFO when starting docker containers.

      Steps to Reproduce:
      Install and start Okapi
      set the DB_PASSWORD environment variable:

      curl -w '\n' -D - -d '{"name":"DB_PASSWORD","value":"mysecret"}' http://localhost:9130/_/env
      

      deploy a docker container

      Expected Results:
      The logs do not contain environment variables with credentials like DB_PASSWORD

      Actual Results:
      The log contains the DB_PASSWORD value in this entry:

      {"instant":{"epochSecond":1598638031,"nanoOfSecond":205000000},"thread":"vert.x-eventloop-thread-0","level":"INFO","loggerName":"okapi","message":"createContainer {\n  \"AttachStdin\" : false,\n  \"AttachStdout\" : true,\n  \"AttachStderr\" : true,\n  \"StopSignal\" : \"SIGTERM\",\n  \"env\" : [ \"DB_PASSWORD=mysecret\" ],\n  \"Image\" : \"okapi-test-module\",\n  \"HostConfig\" : {\n    \"PortBindings\" : {\n      \"8080/tcp\" : [ {\n        \"HostPort\" : \"9131\"\n      } ]\n    },\n    \"PublishAllPorts\" : false\n  }\n}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","threadId":14,"threadPriority":5,"userId":"","requestId":"","tenantId":"","moduleId":""}
      

      The message field JSON decoded:

      createContainer {
        "AttachStdin" : false,
        "AttachStdout" : true,
        "AttachStderr" : true,
        "StopSignal" : "SIGTERM",
        "env" : [ "DB_PASSWORD=mysecret" ],
        "Image" : "okapi-test-module",
        "HostConfig" : {
          "PortBindings" : {
            "8080/tcp" : [ {
              "HostPort" : "9131"
            } ]
          },
          "PublishAllPorts" : false
        }
      }
      

      DB_PASSWORD=mysecret is a credential that should not be in the log.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                julianladisch Julian Ladisch
                drexljo Johannes Drexl
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases