Uploaded image for project: 'Okapi'
  1. Okapi
  2. OKAPI-882

Password leaks in log

    XMLWordPrintable

Details

    • Standard Bug Write-Up Format
    • CP: sprint 96
    • 1.5
    • Core: Platform
    • Q3 2020

    Description

      Overview:
      Okapi leaks database credentials for the superuser in its logs on loglevel INFO when starting docker containers.

      Steps to Reproduce:
      Install and start Okapi
      set the DB_PASSWORD environment variable:

      curl -w '\n' -D - -d '{"name":"DB_PASSWORD","value":"mysecret"}' http://localhost:9130/_/env

      deploy a docker container

      Expected Results:
      The logs do not contain environment variables with credentials like DB_PASSWORD

      Actual Results:
      The log contains the DB_PASSWORD value in this entry:

      {"instant":{"epochSecond":1598638031,"nanoOfSecond":205000000},"thread":"vert.x-eventloop-thread-0","level":"INFO","loggerName":"okapi","message":"createContainer {\n  \"AttachStdin\" : false,\n  \"AttachStdout\" : true,\n  \"AttachStderr\" : true,\n  \"StopSignal\" : \"SIGTERM\",\n  \"env\" : [ \"DB_PASSWORD=mysecret\" ],\n  \"Image\" : \"okapi-test-module\",\n  \"HostConfig\" : {\n    \"PortBindings\" : {\n      \"8080/tcp\" : [ {\n        \"HostPort\" : \"9131\"\n      } ]\n    },\n    \"PublishAllPorts\" : false\n  }\n}","endOfBatch":false,"loggerFqcn":"org.apache.logging.log4j.spi.AbstractLogger","threadId":14,"threadPriority":5,"userId":"","requestId":"","tenantId":"","moduleId":""}

      The message field JSON decoded:

      createContainer {
  "AttachStdin" : false,
  "AttachStdout" : true,
  "AttachStderr" : true,
  "StopSignal" : "SIGTERM",
  "env" : [ "DB_PASSWORD=mysecret" ],
  "Image" : "okapi-test-module",
  "HostConfig" : {
    "PortBindings" : {
      "8080/tcp" : [ {
        "HostPort" : "9131"
      } ]
    },
    "PublishAllPorts" : false
  }
}

      DB_PASSWORD=mysecret is a credential that should not be in the log.

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-858 okapi.sh should not put credentials into -D command line options

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-903 Logging object reference rather than JSON

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-915 Okapi Docker deployment URL/port mismatch on restart

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Activity

              People

                julianladisch Julian Ladisch
                drexljo Johannes Drexl
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases