Description
Antonio Anzivino opened SPR-14370 and commented
PropertySourcesPropertyResolver may, under some circumstances, leak information that should not be normally logged. On line 90 it will log the key and the value of the property it finds if debug logging is enabled.
The following is the scenario in which the unwanted information is logged:
In order to store sensitive information (e.g. database password) in property files, we chose to encrypt them using a proprietary class that extends PropertySorucesPropertyResolver (in particular getPropertyAsRawString method).
Since the class extends PropertySourcesPropertyResolver, the logger will be named according to our package (com.acme.EncryptedPropertyResolver).
Unfortunately for us, we have enabled debug logging in UAT environment, resulting in the following
2015-07-17 10:57:13,683 DEBUG [localhost-startStop-1] com.acme.EncryptedPropertyResolver - getProperty - Found key 'database.password' in [file [/path/to/app.properties]] with type [String] and value '[redacted encrypted string]'
The string that is output to the log is encrypted, but our customer is still upset and reported this to us after an automated security scan. We had two options: 1) override the entire method and avoid logging value of property, 2) set logging level to > DEBUG for com.acme.EncryptedPropertyResolver and leave the rest intact.
Security consideration: the string output to the logs is encrypted as I said, so the password is not clearly printed to the logs, however this extends the attack surface as a malicious user with access to the code and application has more chances to obtain the key and the final plaintext password. Of course the key must be protected too, but that is another issue.
The fact is that while property files are protected (by technical and administrative policies) on customer's UAT instance, log files are normally not part of the security policy and are easily sent via email to interested parties when a problem occurs.
I might suggest, since dropping the entire value logging in the official Spring release might be excessive for debug purposes, implementing a blacklist-based value obfuscation. Like if the key contains word such as "password", "secret", "key" (key, really???) Spring may drop the value in the logging statement. Just to give an example.
This, in my personal experience, is done by Atlassian Bamboo logs too (e.g BAM-14475 or Answers
This issue is marked trivial by OP because it can be addressed with additional logging configuration.
Affects: 3.2.17, 4.2.3
Issue Links:
- Accepting null as default value for a property [SPR-14896] #19462 Accepting null as default value for a property
- Don't log property values in PropertySourcesPropertyResolver by default [SPR-14709] #19274 Don't log property values in PropertySourcesPropertyResolver by default
- Consistent logging in Environment and PropertySource implementations [SPR-15825] #20380 Consistent logging in Environment and PropertySource implementations