eureka
eureka copied to clipboard
Netflix
Exposing the password to log file.
In case of exception in class RedirectingEurekaHttpClient, the serviceEndpoint variable, holds the full url including the password to eureka, and the line -> logger.info("Request execution error. endpoint={}, exception={} stacktrace={}", serviceEndpoint, e.getMessage(), ExceptionUtils.getStackTrace(e)); print it to log. Can you not print the password.
the serviceEndpoint variable, holds the full url including the password to eureka
This bit is not clear to me, can you give an example? You mean when a serviceUrl supplied via the config has sensitive information itself?
the serviceEndpoint variable, holds the full url including the password to eureka
This bit is not clear to me, can you give an example? You mean when a
serviceUrlsupplied via the config has sensitive information itself?
Hello , i hope it will make it more clearer. I mean on startup of the service, in case of exception, sensitive information, such as password is written to log. because the object serviceEndpoint is holding this info and he is printed to log. The password it self is encrypted in the properties file, but the serviceEndpoint at runtime holding this info decrypted, and is when printed to log it exposes this information.
because the object serviceEndpoint is holding this info
This is the bit I'm not sure I understand, how does a password end up in there in the first place, and what password is it? Do you specify your endpoints in the form of:
eureka.serviceUrl.<zone>=http://host:port/eureka/v2<password in the query string or path>?
I don't disagree we should not be logging sensitive info, but I want to understand how sensitive info ends up in the service end point and what's the overall use case. If you can describe the use case with a minimal example that'd be helpful.
In our case, the URL is provided via a custom EurekaClientConfig. When getEurekaServerServiceUrls() is called on our custom config, we build URLs with the username and password (https://user:password@server:port). The URL (with the password) is what is logged in RedirectingEurekaHttpClient.execute() when exception is thrown. Granted it is INFO but it's also dumped as warning further down in executeOnNewServer()
gschoendaller
Sounds like this can be configurable, in general you do want to know which peer the request failed to, but in cases you use a scheme like this it can be nice to be able to obfuscate it. We can discuss possible ways of doing it if anyone's interested in implementing this.
fyi I'm doing something like this because it seems spring boot norms are to encode the password in the URL.
URI serviceUrl = URI.create(eurekaUri);
BasicToken auth = null; // this is armeria type, but anyway you can see what I mean
if (serviceUrl.getUserInfo() != null) {
String[] ui = serviceUrl.getUserInfo().split(":");
if (ui.length == 2) {
auth = BasicToken.ofBasic(ui[0], ui[1]);
}
serviceUrl = stripBaseUrl(serviceUrl);
}
--snip--
// here is the washed serviceUrl, not the input
LOGGER.info("Using eureka to discover zipkin: {}", serviceUrl);
--snip--
// Strip the credentials and any invalid query or fragment from the URI
static URI stripBaseUrl(URI baseUrl) {
try {
return new URI(baseUrl.getScheme(), null, baseUrl.getHost(), baseUrl.getPort(),
baseUrl.getPath(), null, null);
} catch (URISyntaxException e) {
throw new IllegalArgumentException(e);
}
}
