-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/avoid leak secrects in debug log of ifs #13997
Merged
andsel
merged 8 commits into
elastic:main
from
andsel:fix/avoid_leak_secrects_in_debug_log_of_ifs
Apr 21, 2022
Merged
Fix/avoid leak secrects in debug log of ifs #13997
andsel
merged 8 commits into
elastic:main
from
andsel:fix/avoid_leak_secrects_in_debug_log_of_ifs
Apr 21, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andsel
requested review from
kaisecheng and
jsvd
and removed request for
kaisecheng
April 15, 2022 14:27
jsvd
reviewed
Apr 19, 2022
logstash-core/src/main/java/org/logstash/config/ir/CompiledPipeline.java
Show resolved
Hide resolved
jsvd
reviewed
Apr 20, 2022
Map<String, Object> args = ImmutableMap.of(key, ((ValueExpression) expression).get()); | ||
Map<String, Object> substitutedArgs = CompiledPipeline.expandConfigVariables(cve, args); | ||
return new ValueExpression(expression.getSourceWithMetadata(), substitutedArgs.get(key)); | ||
Object expanded = CompiledPipeline.expandConfigVariableKeepingSecrets(cve, ((ValueExpression) expression).get()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
much cleaner <3
logstash-core/src/main/java/org/logstash/plugins/ConfigVariableExpander.java
Outdated
Show resolved
Hide resolved
… SecretStore, instead of use Password, which is mean to cover another use case
… the main flow is more streamlined
jsvd
approved these changes
Apr 20, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release notes
Fix the leak of secret store secrets when if statements are printed when started with debug log.
What does this PR do?
Updates the
ConfigVariableExpander.expand
to selectively createSecretVariable
instances for SecretStore resolved environment variables.SecretVariable
instances in if statements are decrypted duringeq
EventCondition
compilation; bringing the secret value and using in the comparator.Why is it important/What is the impact to the user?
Permit the user to avoid leakage into debug log of secret stores's variables, when used in if conditions.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files (and/or docker env variables)Author's Checklist
How to test this PR locally
bin/logstash -f <pipeline.conf> --debug
)an event should be logged to the console.
Related issues
Use cases
A user would like to use secret store's resolved variables and avoid to leak in logs/console when Logstash is run with debug or trace levels.
Logs
Example of secret disclosure launching
bin/logstash --debug
: