Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[0.9.3] InfluxDB log password redaction leaves query mangled, but not redacted #3883

Closed
brettdh opened this issue Aug 28, 2015 · 3 comments
Closed

[0.9.3] InfluxDB log password redaction leaves query mangled, but not redacted #3883

brettdh opened this issue Aug 28, 2015 · 3 comments
Assignees
@jsternberg
Milestone
0.13.0

Comments

@brettdh
Copy link

brettdh commented Aug 28, 2015

Password redaction isn't quite doing its job:

[http] 2015/08/28 16:47:52 ::1 - admin [28/Aug/2015:16:47:52 +0000] GET /query?[REDACTED]
q[REDACTED]=[REDACTED]C[REDACTED]R[REDACTED]E[REDACTED]A[REDACTED]T[REDACTED]E[REDACTED]+
[REDACTED]U[REDACTED]S[REDACTED]E[REDACTED]R[REDACTED]+
[REDACTED]r[REDACTED]e[REDACTED]a[REDACTED]d[REDACTED]e[REDACTED]r[REDACTED]+
[REDACTED]W[REDACTED]I[REDACTED]T[REDACTED]H[REDACTED]+
[REDACTED]P[REDACTED]A[REDACTED]S[REDACTED]S[REDACTED]W[REDACTED]O[REDACTED]R[REDACTED]D
[REDACTED]...

Which is something like '[REDACTED]'.join("q=CREATE+USER+reader+WITH+PASSWORD+[etc]")

Not quite what you had in mind, I imagine. ;-)
@otoolep
Copy link
Contributor

otoolep commented Aug 28, 2015

@gunnaraasen ?

@beckettsean beckettsean added this to the 0.9.4 milestone Sep 1, 2015
@jsternberg
Copy link
Contributor

Does this still exist and how can we reproduce this issue?

@gunnaraasen
Copy link
Member

This issue still exists and needs to be fixed. The HTTP response logger simply replaces any strings in the query params that match the password right now. This exposes info about the password value itself and can lead to the situation above, where the password is set as a space.

@jsternberg jsternberg modified the milestones: 0.13.0, 0.9.4 Apr 8, 2016
@jsternberg jsternberg assigned jsternberg and unassigned gunnaraasen Apr 8, 2016
@jsternberg jsternberg mentioned this issue Apr 19, 2016
Merged
jsternberg added a commit that referenced this issue Apr 19, 2016
@jsternberg
Improve query sanitization to prevent a password leak in the logs
3c381f3 
Sanitizing is now done through pattern matching rather than parsing the
query and replacing the password in the query. This prevents
accidentally redacting the wrong part of a query and revealing what the
password is through association.

Fixes #3883.
jsternberg added a commit that referenced this issue Apr 22, 2016
@jsternberg
Improve query sanitization to prevent a password leak in the logs
62c66b7 
Sanitizing is now done through pattern matching rather than parsing the
query and replacing the password in the query. This prevents
accidentally redacting the wrong part of a query and revealing what the
password is through association.

Fixes #3883.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsternberg jsternberg

Labels
None yet
Projects
None yet
Milestone
0.13.0
Development

No branches or pull requests
5 participants
@brettdh @otoolep @gunnaraasen @jsternberg @beckettsean