Skip to content
This repository has been archived by the owner on Feb 9, 2024. It is now read-only.

Security: stack traces returned in API #2269

Closed
knisbet opened this issue Oct 22, 2020 · 1 comment · Fixed by #2357
Closed

Security: stack traces returned in API #2269

knisbet opened this issue Oct 22, 2020 · 1 comment · Fixed by #2357
Assignees
@lenko-d
Labels
kind/security Security related issues type: kind/bug

Comments

@knisbet
Copy link
Contributor

knisbet commented Oct 22, 2020

While gravity is OSS software, so returning stack traces doesn't tend to be a real information disclosure, it does provide some opportunity to observe the code paths or possibly the version of gravity in use. These aren't used, so we should disable them.

Example:

{
"error": {
"message": "access denied"
},
"traces": [
{
"path": "/gopath/src/github.com/gravitational/gravity/vendor/github.c
om/gravitational/teleport/lib/httplib/httplib.go",
"func": "github.com/gravitational/gravity/vendor/github.com/gravitati
onal/teleport/lib/httplib.WithCSRFProtection.func1",
"line": 85
},
{
"path": "/gopath/src/github.com/gravitational/gravity/vendor/github.c
om/julienschmidt/httprouter/router.go",
"func": "github.com/gravitational/gravity/vendor/github.com/juliensch
midt/httprouter.(*Router).ServeHTTP",
"line": 299
},
@knisbet knisbet added kind/security Security related issues type: kind/bug labels Oct 22, 2020
@knisbet
Copy link
Contributor Author

knisbet commented Dec 3, 2020

To reproduce: curl -k -H "Content-Type: application/json" -d '{"username": "example", "password":"invalid"}' https://<web server>/proxy/v1/webapi/sessions

@lenko-d lenko-d self-assigned this Dec 4, 2020
This was referenced Dec 5, 2020
Closed
Merged
Merged
Closed
Merged
@wadells wadells mentioned this issue Apr 13, 2021
Merged
3 tasks
a-palchikov added a commit that referenced this issue Aug 12, 2021
@a-palchikov
Revisit #2269 to
9b834ca 
implement conditional stack traces for HTTP APIs.
The original implementation removes the stack traces from HTTP APIs
errors unconditionally which results in reduced troubleshooting efficacy
when the errors contain important details about a failure from the CLI
client.
In order to counter this and provide useful information when necessary,
the stack traces are only stripped if the request does not contain a
custom marker identifying the gravity client.

Updates #2269.
a-palchikov added a commit that referenced this issue Aug 12, 2021
@a-palchikov
Revisit #2269 to
72334ed 
implement conditional stack traces for HTTP APIs.
The original implementation removes the stack traces from HTTP APIs
errors unconditionally which results in reduced troubleshooting efficacy
when the errors contain important details about a failure from the CLI
client.
In order to counter this and provide useful information when necessary,
the stack traces are only stripped if the request does not contain a
custom marker identifying the gravity client.

Updates #2269.
@a-palchikov a-palchikov mentioned this issue Aug 12, 2021
Merged
3 tasks
a-palchikov added a commit that referenced this issue Aug 31, 2021
@a-palchikov
Revisit #2269 to
be00922 
implement conditional stack traces for HTTP APIs.
The original implementation removes the stack traces from HTTP APIs
errors unconditionally which results in reduced troubleshooting efficacy
when the errors contain important details about a failure from the CLI
client.
In order to counter this and provide useful information when necessary,
the stack traces are only stripped if the request does not contain a
custom marker identifying the gravity client.

Updates #2269.
a-palchikov added a commit that referenced this issue Sep 1, 2021
@a-palchikov
Revisit #2269 to
9a77a11 
implement conditional stack traces for HTTP APIs.
The original implementation removes the stack traces from HTTP APIs
errors unconditionally which results in reduced troubleshooting efficacy
when the errors contain important details about a failure from the CLI
client.
In order to counter this and provide useful information when necessary,
the stack traces are only stripped if the request does not contain a
custom marker identifying the gravity client.

Updates #2269.
a-palchikov added a commit that referenced this issue Sep 1, 2021
@a-palchikov
Revisit #2269 to (#2602)
be5f827 
implement conditional stack traces for HTTP APIs.
The original implementation removes the stack traces from HTTP APIs
errors unconditionally which results in reduced troubleshooting efficacy
when the errors contain important details about a failure from the CLI
client.
In order to counter this and provide useful information when necessary,
the stack traces are only stripped if the request does not contain a
custom marker identifying the gravity client.

Updates #2269.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lenko-d lenko-d

Labels
kind/security Security related issues type: kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove stack traces from web APIs gravitational/gravity
2 participants
@lenko-d @knisbet