We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
St2 writes http requests with unsanitised username/password pair to st2.auth.log when log level set to DEBUG.
st2.auth.log
DEBUG
st2 3.8.0, on Python 3.6.9
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic
Install method: manual (https://docs.stackstorm.com/install/u18.html)
st2.conf
[auth] host = 127.0.0.1 port = 9100 use_ssl = False debug = True enable = True logging = /etc/st2/logging.auth.conf mode = standalone backend = ldap backend_kwargs = { "bind_dn": "cn=st2,dc=example,dc=net", "bind_password": "xxxx", "base_ou": "dc=example,dc=com", "group_dns": ["cn=stackstorm users", "cn=stackstorm admins"], "host": "localhost", "port": 389, "use_ssl": false }
Login via st2 cli st2 auth st2admin -t
st2 auth st2admin -t
Review log entries in st2.auth.log
Logged http request contains Authorization header with username/password.
2023-05-13 09:52:17,208 140432424245856 DEBUG router [-] Received call with WebOb: POST /tokens HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Authorization: Basic c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK Connection: keep-alive Content-Length: 2 Content-Type: application/json Host: 127.0.0.1:9100 User-Agent: python-requests/2.25.1 X-Request-Id: 52ad53f1-9942-4b31-95c6-cb12e442f77a {}
Authorization is plain text base64 encoded: base64 -d <<<c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK st2admin:LeakedPassword
Authorization
base64 -d <<<c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK st2admin:LeakedPassword
In order of preference:
Authentication secrets leaked in plain text through logs.
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
SUMMARY
St2 writes http requests with unsanitised username/password pair to
st2.auth.log
when log level set toDEBUG
.STACKSTORM VERSION
st2 3.8.0, on Python 3.6.9
OS, environment, install method
Install method: manual (https://docs.stackstorm.com/install/u18.html)
Steps to reproduce the problem
st2.conf
auth section using LDAP backendLogin via st2 cli
st2 auth st2admin -t
Review log entries in
st2.auth.log
Logged http request contains Authorization header with username/password.
Authorization
is plain text base64 encoded:base64 -d <<<c3QyYWRtaW46TGVha2VkUGFzc3dvcmQK st2admin:LeakedPassword
Expected Results
In order of preference:
Actual Results
Authentication secrets leaked in plain text through logs.
The text was updated successfully, but these errors were encountered: