-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sercurity issue: remove clickhouse server ip & port in the exception #364
Conversation
Andy seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
Thanks for your submission! However, instead of always removing that information (which could be useful for multi-client applications), please make that behavior configurable using the new |
@genzgd WWow thanks, if there is a global setting like that I will add a logic to turn off sensitive information respect the value of show_clickhouse_errors. Thanks |
That sounds good -- for reference it was added in response to #344 where it came up, but I missed those places where it was exposed directly in the error message. Here's the v0.7.9 changelog message too:
|
…tion log respect the value of show_clickhouse_errors
I have just changed the code logic to respect the config We are facing this issues that showing the sensitive info to the client even if we turn off the show_clickhouse_errors |
I think you need the same check in the |
…tion log respect the value of show_clickhouse_errors
@genzgd |
…tion log respect the value of show_clickhouse_errors
Hi,
The issue is the HTTPDriver return the Clickhouse server sensitive detail: IP & Port in the error exception.
Example:
Expected:
This will lead to an issue that the downstream application using this Clickhouse Connect driver,
They will return the details to the client side and the UI will show the IP & Port then the hacker may use this to attack.
We might run into these 2 cases:
Summary
Checklist
Delete items not relevant to your PR: