You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dump the valid secrets into a yaml file k get secret song -o yaml > song-secret.yaml
Extract the score-accessToken secret and decode it: echo <encoded-secret> | tr -d '\n' | base64 -d
Base64 encode the secret WITHOUT stripping newline: echo <decoded-secret> | base64
Replace the score-accessToken field with the previous result and save the file
Apply new manifest k apply -f song-secret.yaml
Publish any analysis with your valid user apiKey obtained from platform, using the song-client
An error occurs as follows
SONG_SERVER_ERROR[unknown.error @ 1596207025550]: Request processing failed; nested exception is java.lang.IllegalArgumentException: Illegal character(s) in message header value: Bearer <decoded-secret>
Essentially, since the score accessToken had a newline at the end, it went down an unaccounted for spring-framework execution pathway, in which the exception message CONTAINS the secrets. This is not good, as it can expose secrets in logs.
In addition, song only intercepts exceptions of type ServerException. It should be intercepting all exceptions.
Solution
For a request containing a bearer token, ensure its trimmed (i.e no whitespaces). A simple GenericFilter could do this
In ServerExceptionHandler add a new handler for Throwable exceptions which masks tokens from the exception message.
For all responses that contain a body and has a request containing a bearer token, ensure the token is masked from the output. This can be done more globally, by adding a GenericFilter, which will modify ANY response. This is a safety net.
In this context, masking means taking the access token/apiKey and md5suming it and replacing it in the message.
The text was updated successfully, but these errors were encountered:
Problem
When the following command is performed
k get secret song -o yaml > song-secret.yaml
score-accessToken
secret and decode it:echo <encoded-secret> | tr -d '\n' | base64 -d
echo <decoded-secret> | base64
score-accessToken
field with the previous result and save the filek apply -f song-secret.yaml
An error occurs as follows
Essentially, since the score accessToken had a newline at the end, it went down an unaccounted for spring-framework execution pathway, in which the exception message CONTAINS the secrets. This is not good, as it can expose secrets in logs.
In addition, song only intercepts exceptions of type
ServerException
. It should be intercepting all exceptions.Solution
ServerExceptionHandler
add a new handler forThrowable
exceptions which masks tokens from the exception message.In this context,
masking
means taking the access token/apiKey and md5suming it and replacing it in the message.The text was updated successfully, but these errors were encountered: