Issue #3015
closedSensitive data is visible in task results in case of download failures
Description
To reproduce: sync repo which misses some files to cause download failures: https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/PULP_MANIFEST
Check description of non-fatal errors, it contains all the configuration details for the downloader, including password and SSL key (in the output below those params are not configured at all for the importer and thus empty).
This data is added here for HttpDownload
and here for FtpDownload
.
HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept
{
"_href": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/",
"group": null,
"state": "completed",
"started_at": "2017-09-14T23:48:35.283677Z",
"finished_at": "2017-09-14T23:48:36.977364Z",
"non_fatal_errors": [
{
"traceback": null,
"code": null,
"description": "HttpDownload: id=5808 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-1.iso writer=missing-1.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
},
{
"traceback": null,
"code": null,
"description": "HttpDownload: id=5960 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-2.iso writer=missing-2.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
}
],
"error": null,
"worker": "http://127.0.0.1:8000/api/v3/workers/reserved_resource_worker_2@pulp3/",
"parent": null,
"tags": [],
"progress_reports": [
{
"message": "Add Content",
"state": "completed",
"total": 5,
"done": 5,
"suffix": "",
"task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
},
{
"message": "Remove Content",
"state": "completed",
"total": 0,
"done": 0,
"suffix": "",
"task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
}
]
}
Updated by ttereshc over 7 years ago
- Triaged changed from No to Yes
- Sprint Candidate changed from No to Yes
Updated by jortel@redhat.com over 7 years ago
I don't see how the paths to the SSL certificates or the username would be a security problem. The password should be masked. Masking is seems better than removing all together because knowing it contained a value would be helpful when troubleshooting.
Added by jortel@redhat.com over 7 years ago
Added by jortel@redhat.com over 7 years ago
Revision b7cee910 | View on GitHub
Mask logged password. closes #3015
Updated by jortel@redhat.com about 7 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to jortel@redhat.com
Updated by jortel@redhat.com about 7 years ago
- Status changed from ASSIGNED to POST
Updated by jortel@redhat.com about 7 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|b7cee910e9078d13c9f5e956ef62291685d16da5.
Updated by bmbouter about 5 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Mask logged password. closes #3015