Project

Profile

Help

Issue #3015

closed

Sensitive data is visible in task results in case of download failures

Added by ttereshc over 6 years ago. Updated over 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
Yes
Tags:
Sprint:
Sprint 26
Quarter:

Description

To reproduce: sync repo which misses some files to cause download failures: https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/PULP_MANIFEST

Check description of non-fatal errors, it contains all the configuration details for the downloader, including password and SSL key (in the output below those params are not configured at all for the importer and thus empty).
This data is added here for HttpDownload and here for FtpDownload.

HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "_href": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/",
    "group": null,
    "state": "completed",
    "started_at": "2017-09-14T23:48:35.283677Z",
    "finished_at": "2017-09-14T23:48:36.977364Z",
    "non_fatal_errors": [
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5808 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-1.iso writer=missing-1.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
        },
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5960 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-2.iso writer=missing-2.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
        }
    ],
    "error": null,
    "worker": "http://127.0.0.1:8000/api/v3/workers/reserved_resource_worker_2@pulp3/",
    "parent": null,
    "tags": [],
    "progress_reports": [
        {
            "message": "Add Content",
            "state": "completed",
            "total": 5,
            "done": 5,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
        },
        {
            "message": "Remove Content",
            "state": "completed",
            "total": 0,
            "done": 0,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
        }
    ]
}
Actions #1

Updated by ttereshc over 6 years ago

  • Triaged changed from No to Yes
  • Sprint Candidate changed from No to Yes
Actions #2

Updated by jortel@redhat.com over 6 years ago

I don't see how the paths to the SSL certificates or the username would be a security problem. The password should be masked. Masking is seems better than removing all together because knowing it contained a value would be helpful when troubleshooting.

Added by jortel@redhat.com over 6 years ago

Revision b7cee910 | View on GitHub

Mask logged password. closes #3015

Added by jortel@redhat.com over 6 years ago

Revision b7cee910 | View on GitHub

Mask logged password. closes #3015

Actions #3

Updated by jortel@redhat.com over 6 years ago

I have a patch for this.

Actions #4

Updated by mhrivnak over 6 years ago

  • Sprint/Milestone set to 45
Actions #5

Updated by jortel@redhat.com over 6 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com
Actions #6

Updated by jortel@redhat.com over 6 years ago

  • Status changed from ASSIGNED to POST
Actions #7

Updated by jortel@redhat.com over 6 years ago

  • Status changed from POST to MODIFIED
Actions #8

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 26
Actions #9

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (45)
Actions #10

Updated by daviddavis almost 5 years ago

  • Sprint/Milestone set to 3.0.0
Actions #11

Updated by bmbouter almost 5 years ago

  • Tags deleted (Pulp 3)
Actions #12

Updated by bmbouter over 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF