Make sure that no passwords are shown in the logs #1511
Comments
fuss86
added
good first issue
help wanted
hacktoberfest
|
I want to help |
|
Feel free to dig in! :) |
|
I would recommend doing this for all PII. If we are already going to be scouring logs for creds - it woulld be worth doing that as well. Could be done in a follow on ticket as well. |
|
I'm assuming you're referring to "personally identifiable information"? If so, I believe the only information that we keep a record of is the username/e-mail, so I'm not quite sure what else we could sanitize and restrict. |
|
Yep. Email would be one. |
|
Has someone taken this up already ? |
|
@theparselmouth , @n00ner said they'd look into it, but as we haven't seen a pull request yet, I'd say it's probably up for grabs, so you can have a go at it, if you like. |
|
@theparselmouth, try it =) I just studying and work slowly. |
|
I'm participating at hacktoberfest and choose this issue to start working on. |
|
Hi @RutgerDOW , Feel free to look into it! Thanks for offering to help! :) (As we haven't heard back from @n00ner and @theparselmouth , or seen a pull request, I believe it's safe to proceed). Please, feel free to join our chat channel! :) |
Do you need tooling for it, or is manually search and output to enumeration satisfying? In last case, how will it be maintained?
Is a search and delete in the logged data the solution, or is must all password object or string be omitted from methods of toString object in underlying classes? |
|
I think you can start by ommitting things from the |
|
@carlspring / @fuss86 / @sbespalov in addition and as a fallback option, maybe we could try to configure |
|
@steve-todorov I think it might be hard to prepare a regex for such purpose. We can't predict it I think. |
|
@carlspring |
|
Hi @deepank120896 - feel free to pick it up. You can also join our chat if you have more questions. :) |
|
Hi @deepank120896 - Are you contributing to this issue. If not I'm interested in contributing to this issue |
|
@VishnuLakkimsetty Yes I am working on it |
|
@deepank120896 Are you still working on this? I've done a quick initial investigation and happy to continue. These would be the first files to look into: find . -type f -name '*.java' | grep -v "/test" | xargs grep -l password | xargs grep -l toString
./strongbox-rest-client/src/main/java/org/carlspring/strongbox/client/RestClient.java
./strongbox-security/strongbox-user-management/src/main/java/org/carlspring/strongbox/users/dto/UserDto.java
./strongbox-security/strongbox-user-management/src/main/java/org/carlspring/strongbox/users/userdetails/SpringSecurityUser.java
./strongbox-security/strongbox-user-management/src/main/java/org/carlspring/strongbox/users/domain/UserData.java
./strongbox-security/strongbox-authentication-providers/strongbox-default-authentication-provider/src/main/java/org/carlspring/strongbox/authentication/api/password/PasswordAuthenticationProvider.java
./strongbox-security/strongbox-authentication-providers/strongbox-default-authentication-provider/src/main/java/org/carlspring/strongbox/authentication/api/CacheManagerAuthenticationCache.java
./strongbox-storage/strongbox-storage-core/src/main/java/org/carlspring/strongbox/configuration/MutableProxyConfiguration.java
./strongbox-client/src/main/java/org/carlspring/strongbox/client/ArtifactClient.java |
|
@Syntax753 feel free to pick this up if you're still interested and open a PR :) |
|
Hi, I'm a contributor and I see this is a good first issue. Can you assign this issue to me so I can work on it? Many thanks! |
|
@colinldbd : This project is on hold. |
|
Hi @carlspring - I would recommend adding an appropriate label for the status. |
|
@khushbukareliya07 : The point being? I assume you've read my last comment. |
Task Description
When a user authenticates, the logs may contain his hashed password. We should make sure that we don't leak any credential information in the logs (even hashed passwords).
Tasks
The following tasks will need to be carried out:
toStringmethods do not contain sensitive dataHelp
The text was updated successfully, but these errors were encountered: