You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2017/08/16 00:21:55 UTC
[3/7] zeppelin git commit: [ZEPPELIN-2733] Remove System Information
Leak in Authentication.java.
[ZEPPELIN-2733] Remove System Information Leak in Authentication.java.
### What is this PR for?
An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
In the file Authentication.java,
```
Line 137: LOG.debug("Encrypted user key is {}", userKey);
Line 148: LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
```
These lines may print information which can reveal some important data to user making it vulnerable to attacks, we should not log this sensitive information.
### What type of PR is it?
[Improvement]
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2733
### How should this be tested?
Existing tests.
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? - No
* Is there breaking changes for older versions? - No
* Does this needs documentation? - No
Author: Yanbo Liang <yb...@gmail.com>
Closes #2468 from yanboliang/zeppelin-2733 and squashes the following commits:
ce485ae [Yanbo Liang] Remove System Information Leak in Authentication.java.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/465b0ba2
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/465b0ba2
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/465b0ba2
Branch: refs/heads/branch-0.7
Commit: 465b0ba2556420d5d1424ef9206e129f07e164e9
Parents: 5ead465
Author: Yanbo Liang <yb...@gmail.com>
Authored: Thu Jul 6 14:31:15 2017 +0800
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:12 2017 -0700
----------------------------------------------------------------------
.../notebook/repo/zeppelinhub/security/Authentication.java | 2 --
1 file changed, 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/465b0ba2/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
index 4b8b42d..76968e4 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
@@ -134,7 +134,6 @@ public class Authentication implements Runnable {
// returns login:password
private String getAuthKey(String userKey) {
- LOG.debug("Encrypted user key is {}", userKey);
if (StringUtils.isBlank(userKey)) {
LOG.warn("ZEPPELINHUB_USER_KEY is blank");
return StringUtils.EMPTY;
@@ -145,7 +144,6 @@ public class Authentication implements Runnable {
}
private String decrypt(String value, String initVector) {
- LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
if (StringUtils.isBlank(value) || StringUtils.isBlank(initVector)) {
LOG.error("String to decode or salt is not provided");
return StringUtils.EMPTY;