Project

Profile

Help

Issue #3015

Sensitive data is visible in task results in case of download failures

Added by ttereshc about 2 years ago. Updated 6 months ago.

Status:
MODIFIED
Priority:
Normal
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
Yes
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 26

Description

To reproduce: sync repo which misses some files to cause download failures: https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/PULP_MANIFEST

Check description of non-fatal errors, it contains all the configuration details for the downloader, including password and SSL key (in the output below those params are not configured at all for the importer and thus empty).
This data is added here for HttpDownload and here for FtpDownload.

HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "_href": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/",
    "group": null,
    "state": "completed",
    "started_at": "2017-09-14T23:48:35.283677Z",
    "finished_at": "2017-09-14T23:48:36.977364Z",
    "non_fatal_errors": [
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5808 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-1.iso writer=missing-1.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]" 
        },
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5960 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-2.iso writer=missing-2.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]" 
        }
    ],
    "error": null,
    "worker": "http://127.0.0.1:8000/api/v3/workers/reserved_resource_worker_2@pulp3/",
    "parent": null,
    "tags": [],
    "progress_reports": [
        {
            "message": "Add Content",
            "state": "completed",
            "total": 5,
            "done": 5,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/" 
        },
        {
            "message": "Remove Content",
            "state": "completed",
            "total": 0,
            "done": 0,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/" 
        }
    ]
}

Associated revisions

Revision b7cee910 View on GitHub
Added by jortel@redhat.com about 2 years ago

Mask logged password.
closes #3015

Revision b7cee910 View on GitHub
Added by jortel@redhat.com about 2 years ago

Mask logged password.
closes #3015

Revision b7cee910 View on GitHub
Added by jortel@redhat.com about 2 years ago

Mask logged password.
closes #3015

History

#1 Updated by ttereshc about 2 years ago

  • Triaged changed from No to Yes
  • Sprint Candidate changed from No to Yes

#2 Updated by jortel@redhat.com about 2 years ago

I don't see how the paths to the SSL certificates or the username would be a security problem. The password should be masked. Masking is seems better than removing all together because knowing it contained a value would be helpful when troubleshooting.

#3 Updated by jortel@redhat.com about 2 years ago

I have a patch for this.

#4 Updated by mhrivnak about 2 years ago

  • Sprint/Milestone set to 45

#5 Updated by jortel@redhat.com about 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#6 Updated by jortel@redhat.com about 2 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by jortel@redhat.com about 2 years ago

  • Status changed from POST to MODIFIED

#8 Updated by bmbouter over 1 year ago

  • Sprint set to Sprint 26

#9 Updated by bmbouter over 1 year ago

  • Sprint/Milestone deleted (45)

#10 Updated by daviddavis 6 months ago

  • Sprint/Milestone set to 3.0

#11 Updated by bmbouter 6 months ago

  • Tags deleted (Pulp 3)

Please register to edit this issue

Also available in: Atom PDF