Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenTracing spans reveal URL auth credentials #1459

Closed
atombender opened this issue Feb 5, 2021 · 7 comments
Closed

OpenTracing spans reveal URL auth credentials #1459

atombender opened this issue Feb 5, 2021 · 7 comments
Labels
Milestone

Comments

@atombender
Copy link
Contributor

atombender commented Feb 5, 2021

Which version of Elastic are you using?

[X] elastic.v7 (for Elasticsearch 7.x)
[ ] elastic.v6 (for Elasticsearch 6.x)
[ ] elastic.v5 (for Elasticsearch 5.x)
[ ] elastic.v3 (for Elasticsearch 2.x)
[ ] elastic.v2 (for Elasticsearch 1.x)

Please describe the expected behavior

We expected the spans reported to hide the user name and password.

Please describe the actual behavior

Full URL was exposed. Example from Jaeger UI (scrubbed):

Screen Shot 2021-02-05 at 08 55 09

Any steps to reproduce the behavior?

Set the client up with a URL with a user name and password.

I'll see about creating a PR for this.

@olivere olivere added the bug label Mar 24, 2021
@olivere olivere added this to the 7.x milestone Mar 24, 2021
@olivere
Copy link
Owner

olivere commented Mar 24, 2021

Oops. That's a bug for sure.

@olivere olivere modified the milestones: 7.x, 7.0.24 Mar 30, 2021
olivere added a commit that referenced this issue Apr 12, 2021
This commit improves the tests to make sure that HTTP basic auth
credentials don't leak into tracing data.

See #1459
@olivere
Copy link
Owner

olivere commented Apr 12, 2021

I improved tests in 180a7ca but cannot reproduce. Am I missing something?

@olivere olivere modified the milestones: 7.0.24, 7.0.25 Apr 12, 2021
@olivere olivere modified the milestones: 7.0.25, 7.0.26 Jun 16, 2021
@olivere olivere modified the milestones: 7.0.26, 7.0.27 Jul 8, 2021
@olivere olivere modified the milestones: 7.0.27, 7.0.28 Jul 30, 2021
@olivere olivere modified the milestones: 7.0.28, 7.0.29 Aug 30, 2021
dungnx pushed a commit to dungnx/elastic that referenced this issue Sep 16, 2021
This commit improves the tests to make sure that HTTP basic auth
credentials don't leak into tracing data.

See olivere#1459
@olivere olivere modified the milestones: 7.0.29, 7.0.30 Sep 16, 2021
@atombender
Copy link
Contributor Author

atombender commented Dec 17, 2021

Great. Just to be clear, that logging goes to the OpenTracing span?

@olivere
Copy link
Owner

olivere commented Dec 17, 2021

Whoops. I'm sorry...

@olivere olivere reopened this Dec 17, 2021
@olivere olivere modified the milestones: 7.0.30, 7.0.31 Dec 17, 2021
@olivere
Copy link
Owner

olivere commented Dec 17, 2021

Have to double-check.

olivere added a commit that referenced this issue Jan 7, 2022
This commit hopefully, finally, fixes the credentials leakage described
in #1459.
@olivere
Copy link
Owner

olivere commented Jan 7, 2022

I'll give it another go in 7.0.31. It replaced the occurrence of req.URL.String() with req.URL.Redacted() which hopefully, finally, fixes this issue. Let me know if it still happens to be logged. I do not doubt it happens, but I'm still not sure how to reproduce it.

@olivere olivere closed this as completed Jan 7, 2022
@atombender
Copy link
Contributor Author

atombender commented Jan 7, 2022

Thank you!

olivere added a commit that referenced this issue Jan 7, 2022
This commit will also redact the URL to not expose credentials, similar
to #1459.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants