openhab1-addons icon indicating copy to clipboard operation
openhab1-addons copied to clipboard

Published 20 hours ago verified publisher icon openhab

[Anel] Password in the log file for anel hut

Open yveshanoulle opened this issue 6 years ago • 5 comments

Expected Behavior

when there is an error, the password of teh user having the trouble, should not be in the log

Current Behavior

In https://github.com/openhab/openhab1-addons/blob/35f5a2973ddb1de98468ce1382d9ec1d334b3727/bundles/binding/org.openhab.binding.anel/src/main/java/org/openhab/binding/anel/internal/AnelConnectorThread.java

this code add's the password to cmd and then gives out cmd when there is an exception

    // Format to switch on: IO_on<nr><user><pwd>
    // Format to switch off: IO_off<nr><user><pwd>
    // Example: IO_on3adminanel
    final String cmd = "IO_" + (newState ? "on" : "off") + ioNr + user + password;
    logger.debug("Sending to " + state.host + ": " + cmd);
    try {
        connector.sendDatagram(cmd.getBytes());
    } catch (Exception e) {
        if (e.getCause() instanceof UnknownHostException) {
            logger.error("Could not check status of Anel device '" + state.host + "'");
        } else {
            logger.error("Error occurred when sending UDP data to Anel device: " + cmd, e);
        }
    }

Possible Solution

something like

final String cmd = "IO_" + (newState ? "on" : "off") + ioNr ; final String up= user + password; final String cmdup= cmd+up; ...

connector.sendDatagram(cmdup.getBytes()); By changing cmd, all the places where cmd is used in teh logging, don't have to change..

yveshanoulle avatar Nov 25 '18 14:11 yveshanoulle

@kaikreuzer I'm not sure if you consider this a bug or a refactoring, yet the fact that it shows a password, seems a big flaw. It looks like the original coder is no longer maintaining it. I have other issues with the binding, yet this seems more important as it's a security issue

yveshanoulle avatar Dec 02 '18 15:12 yveshanoulle

I would suggest just moving the credentials into a TRACE message, so that the user can enable viewing it if needed, but it never shows up by default:

} else {
            logger.warn("Error occurred when sending UDP data to Anel device", e);
            logger.trace("Command that was being sent: {}", cmd);
}

9037568 avatar Dec 23 '18 04:12 9037568

I would not even log the user name and password. as far as I know, some months ago al lot of passwords were removed from logging. Might be more interesting to send a message, wrong username + password, yet I have no idea if anel hut supports that. Yet I think for now, removing it would already make this much safer.

yveshanoulle avatar Jan 04 '19 00:01 yveshanoulle

@9037568 I see the awaiting-feedback label, yet I have no idea who or what should give feedback.

yveshanoulle avatar Jan 09 '19 16:01 yveshanoulle

I agree with @yveshanoulle. I'll try to find some time to create a PR the next days.

paphko avatar Mar 07 '19 12:03 paphko