Project

General

Profile

Actions

Bug #23525

closed

Document in logback.xml loggers that display secret at debug level

Added by François ARMAND about 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

There's some loggers that display sensitive information like websession at trace or debug level. This is their goal (for ex to debug session problems), so we can't really "correct" that behavior.
So we need to add a warning section in logback.xml to alert people about that fact.

From parent, we found :

Session ID/cookie¶

We also have clear text session cookies:

DEBUG comet_trace - AJAX Request: node0511q903kiekr5o6wxww1ackn8 Map(F517770518092OA1LPL -> List(true))
DEBUG comet_trace - AJAX Response: node0511q903kiekr5o6wxww1ackn8 InMemoryResponse(
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 2462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 12462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))

DEBUG org.springframework.security.web.session.HttpSessionEventPublisher - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]
DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: node0511q903kiekr5o6wxww1ackn8
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=RudderUserDetail(User(michel,$2b$12$cLxQd6r1qsu0e/psDyL0EuRAhhfHiuApN91cqQlPjyzSuoYcmolY6),Set(Administrator),ACL(List(ApiAclElement(Root(List()),HashSet(HEAD, PUT, GET, POST, DELETE))))), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=node01ujpvbr7i82u5uhah1mcf0a867], Granted Authorities=[ROLE_USER]]] to HttpSession [Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]
Actions #1

Updated by François ARMAND about 1 year ago

  • Assignee set to Clark ANDRIANASOLO
Actions #2

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from New to In progress
Actions #3

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5095
Actions #4

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by Alexis Mousset about 1 year ago

  • Fix check changed from To do to Checked
Actions #6

Updated by Vincent MEMBRÉ about 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.8 and 8.0.1 which were released today.

Actions

Also available in: Atom PDF