Project

General

Profile

Actions

Bug #23525

closed

Document in logback.xml loggers that display secret at debug level

Added by François ARMAND about 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

There's some loggers that display sensitive information like websession at trace or debug level. This is their goal (for ex to debug session problems), so we can't really "correct" that behavior.
So we need to add a warning section in logback.xml to alert people about that fact.

From parent, we found :

Session ID/cookie¶

We also have clear text session cookies:

DEBUG comet_trace - AJAX Request: node0511q903kiekr5o6wxww1ackn8 Map(F517770518092OA1LPL -> List(true))
DEBUG comet_trace - AJAX Response: node0511q903kiekr5o6wxww1ackn8 InMemoryResponse(
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 2462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 12462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))

DEBUG org.springframework.security.web.session.HttpSessionEventPublisher - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]
DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: node0511q903kiekr5o6wxww1ackn8
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=RudderUserDetail(User(michel,$2b$12$cLxQd6r1qsu0e/psDyL0EuRAhhfHiuApN91cqQlPjyzSuoYcmolY6),Set(Administrator),ACL(List(ApiAclElement(Root(List()),HashSet(HEAD, PUT, GET, POST, DELETE))))), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=node01ujpvbr7i82u5uhah1mcf0a867], Granted Authorities=[ROLE_USER]]] to HttpSession [Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]
Actions

Also available in: Atom PDF