Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask secrets in CommandInvokedEvent and Command logger #25307

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Mask secrets in CommandInvokedEvent and Command logger #25307

wants to merge 3 commits into from

Conversation

OndroMih
Copy link
Contributor

@OndroMih OndroMih commented Jan 5, 2025

This fixes a security issue in the Command Logger feature, which allowed to expose passwords used in some admin commands. This fix replaces passwords in the logged messages by "******".

pzygielo
pzygielo reviewed Jan 5, 2025
View reviewed changes
nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/admin/CommandRunnerImpl.java Outdated
subject);
eventService.getCommandInvokedTopic()
.publish(event);
}

private ParameterMap maskSecretParameters(ParameterMap parameters) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be static and have unit test?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I will add this specific case into the CommandLoggerTest tests.

pzygielo
pzygielo reviewed Jan 5, 2025
View reviewed changes
nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/admin/CommandRunnerImpl.java Outdated
@@ -1642,12 +1643,22 @@ public void executeFromCheckpoint(JobManager.Checkpoint checkpoint, boolean reve
private void publishCommandInvokedEvent(ExecutionContext invocation, Subject subject) {
final CommandInvokedEvent event = new CommandInvokedEvent(
invocation.name(),
invocation.parameters(),
maskSecretParameters(invocation.parameters()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current failures suggest (to me), that invocation.parameters() can be null.

@OndroMih
Mask secrets - tests, refactoring, null check
5678411 
Extracted ExecutionContext inner class to package-private class CommandRunnerExecutionContext. Was too big and deserved a file on its own.
Moved mask method to ParameterMap and added unit tests.
@OndroMih
Mask secrets - fix for Java 11, another test
4367847 
A test to verfiy that the command logger doesn't log passwords
@OndroMih OndroMih requested review from pzygielo and hs536 January 10, 2025 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pzygielo pzygielo Awaiting requested review from pzygielo

@hs536 hs536 Awaiting requested review from hs536

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OndroMih @pzygielo