Project

Profile

Help

Issue #3015

Sensitive data is visible in task results in case of download failures

Added by ttereshc over 2 years ago. Updated 3 months ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
Start date:
Due date:
Severity:
2. Medium
Version:
Platform Release:
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
No
Sprint Candidate:
Yes
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 26

Description

To reproduce: sync repo which misses some files to cause download failures: https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/PULP_MANIFEST

Check description of non-fatal errors, it contains all the configuration details for the downloader, including password and SSL key (in the output below those params are not configured at all for the importer and thus empty).
This data is added here for HttpDownload and here for FtpDownload.

HTTP 200 OK
Allow: GET, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "_href": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/",
    "group": null,
    "state": "completed",
    "started_at": "2017-09-14T23:48:35.283677Z",
    "finished_at": "2017-09-14T23:48:36.977364Z",
    "non_fatal_errors": [
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5808 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-1.iso writer=missing-1.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
        },
        {
            "traceback": null,
            "code": null,
            "description": "HttpDownload: id=5960 url=https://repos.fedorapeople.org/pulp/pulp/fixtures/file-mixed/missing-2.iso writer=missing-2.iso | repair: retries=1 | timeout: connect=10 read=30 | ssl: validation=False CA= key= certificate= | User: name= password= | proxy= headers={} - Failed. Reason: HTTP [404]"
        }
    ],
    "error": null,
    "worker": "http://127.0.0.1:8000/api/v3/workers/reserved_resource_worker_2@pulp3/",
    "parent": null,
    "tags": [],
    "progress_reports": [
        {
            "message": "Add Content",
            "state": "completed",
            "total": 5,
            "done": 5,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
        },
        {
            "message": "Remove Content",
            "state": "completed",
            "total": 0,
            "done": 0,
            "suffix": "",
            "task": "http://127.0.0.1:8000/api/v3/tasks/6709dd9e-3ee1-4343-8d6f-a28b77a8d92b/"
        }
    ]
}

Associated revisions

Revision b7cee910 View on GitHub
Added by jortel@redhat.com over 2 years ago

Mask logged password. closes #3015

Revision b7cee910 View on GitHub
Added by jortel@redhat.com over 2 years ago

Mask logged password. closes #3015

History

#1 Updated by ttereshc over 2 years ago

  • Triaged changed from No to Yes
  • Sprint Candidate changed from No to Yes

#2 Updated by jortel@redhat.com over 2 years ago

I don't see how the paths to the SSL certificates or the username would be a security problem. The password should be masked. Masking is seems better than removing all together because knowing it contained a value would be helpful when troubleshooting.

#3 Updated by jortel@redhat.com over 2 years ago

I have a patch for this.

#4 Updated by mhrivnak over 2 years ago

  • Sprint/Milestone set to 45

#5 Updated by jortel@redhat.com over 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com

#6 Updated by jortel@redhat.com over 2 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by jortel@redhat.com over 2 years ago

  • Status changed from POST to MODIFIED

#8 Updated by bmbouter almost 2 years ago

  • Sprint set to Sprint 26

#9 Updated by bmbouter almost 2 years ago

  • Sprint/Milestone deleted (45)

#10 Updated by daviddavis 10 months ago

  • Sprint/Milestone set to 3.0.0

#11 Updated by bmbouter 10 months ago

  • Tags deleted (Pulp 3)

#12 Updated by bmbouter 3 months ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Also available in: Atom PDF