You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by "1561316811 (via GitHub)" <gi...@apache.org> on 2024/03/31 02:59:26 UTC
[I] The sensitive information of uri may leak [cloudstack]
1561316811 opened a new issue, #8853:
URL: https://github.com/apache/cloudstack/issues/8853
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
cloudstack-service-secondary-storage
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main branch.
-->
~~~
commit ID: 45d267ccbf2749c547cbbbac4a2cb1f3351dcaf2 on main branch.
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network, advanced networking, etc. N/A otherwise
-->
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
##### SUMMARY
<!-- Explain the problem/feature briefly -->
The sensitive information of URI may leak through "logger.error"
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
<!-- Paste example playbooks or commands between quotes below -->
~~~
~~~
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
~~~
#### error code location
~~~
protected String parseCifsMountOptions(URI uri) {
List<NameValuePair> args = URLEncodedUtils.parse(uri, "UTF-8");
boolean foundUser = false;
boolean foundPswd = false;
StringBuilder extraOpts = new StringBuilder();
for (NameValuePair nvp : args) {
String name = nvp.getName();
if (name.equals("user")) {
foundUser = true;
logger.debug("foundUser is" + foundUser);
} else if (name.equals("password")) {
foundPswd = true;
logger.debug("password is present in uri");
}
extraOpts.append(name + "=" + nvp.getValue() + ",");
}
if (logger.isDebugEnabled()) {
logger.error("extraOpts now " + extraOpts); //output
}
if (!foundUser || !foundPswd) {
String errMsg = "Missing user and password from URI. Make sure they" + "are in the query string and separated by '&'. E.g. "
+ "cifs://example.com/some_share?user=foo&password=bar";
logger.error(errMsg);
throw new CloudRuntimeException(errMsg);
}
return extraOpts.toString();
}
~~~
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The sensitive information of uri may leak [cloudstack]
Posted by "DaanHoogland (via GitHub)" <gi...@apache.org>.
DaanHoogland commented on issue #8853:
URL: https://github.com/apache/cloudstack/issues/8853#issuecomment-2034057784
@1561316811 , looking at the logs above I do now see an issue. Please explain?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The sensitive information of uri may leak [cloudstack]
Posted by "DaanHoogland (via GitHub)" <gi...@apache.org>.
DaanHoogland commented on issue #8853:
URL: https://github.com/apache/cloudstack/issues/8853#issuecomment-2042416493
You are right, I will create a PR to add a call to `StringUtils.cleanString()` here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The sensitive information of uri may leak [cloudstack]
Posted by "1561316811 (via GitHub)" <gi...@apache.org>.
1561316811 commented on issue #8853:
URL: https://github.com/apache/cloudstack/issues/8853#issuecomment-2040963891
In the following code, in line 3096, we can infer that "nvp" variable may contain password by lines 3101 and 3106. But the "extraOpts" appends the information of "nvp.getValue()" and then was logged out in line 3110.
https://github.com/apache/cloudstack/blob/2959cc67652381e3a39b298e674a0bced5002337/services/secondary-storage/server/src/main/java/org/apache/cloudstack/storage/resource/NfsSecondaryStorageResource.java#L3091-L3120
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] The sensitive information of uri may leak [cloudstack]
Posted by "DaanHoogland (via GitHub)" <gi...@apache.org>.
DaanHoogland closed issue #8853: The sensitive information of uri may leak
URL: https://github.com/apache/cloudstack/issues/8853
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org