Project

Profile

Help

Issue #8058

Proxy credentials displayed in clear text

Added by andyfry about 2 months ago. Updated about 1 month ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
OS:
CentOS 7
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Proxy username and password are written to logs and displayed in clear text.

Initially discovered in Foreman: https://community.theforeman.org/t/proxy-credentials-display-in-clear-text/21695

Dec 10 10:03:00 foreman-svr dynflow-sidekiq@worker: 2020-12-09T23:33:00.412Z 8510 TID-2xkvka Dynflow::Executors::Sidekiq::WorkerJobs::PerformWork JID-cc67cbe413dbce63e8a08c92 INFO: done: 0.131 sec
Dec 10 10:03:00 foreman-svr dynflow-sidekiq@orchestrator: 2020-12-09T23:33:00.412Z 8466 TID-2wc8sa Dynflow::Executors::Sidekiq::OrchestratorJobs::WorkerDone JID-1a23e2e868a7847bcf0f4175 INFO: start
Dec 10 10:03:00 foreman-svr dynflow-sidekiq@orchestrator: 2020-12-09T23:33:00.414Z 8466 TID-2wc8sa Dynflow::Executors::Sidekiq::OrchestratorJobs::WorkerDone JID-1a23e2e868a7847bcf0f4175 INFO: done: 0.001 sec
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pulp: rq.worker:ERROR: Traceback (most recent call last):
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/worker.py”, line 936, in perform_job
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: rv = job.perform()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/job.py”, line 684, in perform
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: self._result = self._execute()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/job.py”, line 690, in _execute
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return self.func(*self.args, **self.kwargs)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulp_rpm/app/tasks/synchronizing.py”, line 266, in synchronize
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: dv.create()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/declarative_version.py”, line 148, in create
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: loop.run_until_complete(pipeline)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/asyncio/base_events.py”, line 484, in run_until_complete
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return future.result()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/api.py”, line 225, in create_pipeline
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await asyncio.gather(*futures)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/api.py”, line 43, in call
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await self.run()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/artifact_stages.py”, line 152, in run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pb.done += task.result() # download_count
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/artifact_stages.py”, line 178, in _handle_content_unit
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await asyncio.gather(*downloaders_for_content)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/models.py”, line 88, in download
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: download_result = await downloader.run(extra_data=self.extra_data)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/download/base.py”, line 227, in run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return await self._run(extra_data=extra_data)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulp_rpm/app/downloaders.py”, line 87, in _run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: async with self.session.get(url, proxy=self.proxy, auth=self.auth) as response:
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 1012, in aenter
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: self._resp = await self._coro
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 483, in _request
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: timeout=real_timeout
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 523, in connect
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: proto = await self._create_connection(req, traces, timeout)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 856, in _create_connection
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: req, traces, timeout)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 1083, in _create_proxy_connection
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: headers=resp.headers)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: aiohttp.client_exceptions.ClientHttpProxyError: 503, message=‘Service Unavailable’, url=URL(‘http://**proxyuser:proxypass**@proxysvr.blah.com:8080’)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: Traceback (most recent call last):
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/worker.py”, line 936, in perform_job
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: rv = job.perform()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/job.py”, line 684, in perform
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: self._result = self._execute()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/rq/job.py”, line 690, in _execute
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return self.func(*self.args, **self.kwargs)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulp_rpm/app/tasks/synchronizing.py”, line 266, in synchronize
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: dv.create()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/declarative_version.py”, line 148, in create
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: loop.run_until_complete(pipeline)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/asyncio/base_events.py”, line 484, in run_until_complete
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return future.result()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/api.py”, line 225, in create_pipeline
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await asyncio.gather(*futures)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/api.py”, line 43, in call
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await self.run()
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/artifact_stages.py”, line 152, in run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pb.done += task.result() # download_count
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/artifact_stages.py”, line 178, in _handle_content_unit
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: await asyncio.gather(*downloaders_for_content)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/plugin/stages/models.py”, line 88, in download
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: download_result = await downloader.run(extra_data=self.extra_data)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulpcore/download/base.py”, line 227, in run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: return await self._run(extra_data=extra_data)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib/python3.6/site-packages/pulp_rpm/app/downloaders.py”, line 87, in _run
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: async with self.session.get(url, proxy=self.proxy, auth=self.auth) as response:
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 1012, in aenter
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: self._resp = await self._coro
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/client.py”, line 483, in _request
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: timeout=real_timeout
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 523, in connect
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: proto = await self._create_connection(req, traces, timeout)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 856, in _create_connection
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: req, traces, timeout)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: File “/usr/lib64/python3.6/site-packages/aiohttp/connector.py”, line 1083, in _create_proxy_connection
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: headers=resp.headers)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: aiohttp.client_exceptions.ClientHttpProxyError: 503, message=‘Service Unavailable’, url=URL(‘http://**proxyuser:proxypass**@proxysvr.blah.com:8080’)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: Cleaning registries for queue: 29117@foreman-svr.blah.com
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: f44c079e-1f6f-418f-862d-3f2750967b59
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: Job OK (f44c079e-1f6f-418f-862d-3f2750967b59)
Dec 10 10:03:02 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: 0e1b15ba-53bb-4b4b-8281-9c96dc2138bd
Dec 10 10:03:02 foreman-svr pulpcore-resource-manager: pulp: rq.worker:INFO: resource-manager: Job OK (37c3b1b7-b17d-47da-8c05-83058de07eb1)
Dec 10 10:03:02 foreman-svr pulpcore-resource-manager: pulp: rq.worker:INFO: resource-manager: 674105cb-89eb-4b5d-89bb-4e0437377d89
Dec 10 10:03:04 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: Job OK (0e1b15ba-53bb-4b4b-8281-9c96dc2138bd)
Dec 10 10:03:04 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: ba50faec-c595-4965-a20e-12d808b5e2eb
Dec 10 10:03:04 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: Job OK (ba50faec-c595-4965-a20e-12d808b5e2eb)
Dec 10 10:03:04 foreman-svr pulpcore-worker-2: pulp: rq.worker:INFO: 29117@foreman-svr.blah.com: 542d88fe-2dbd-4914-89e0-ab1563ac8553

Related issues

Related to Pulp - Story #8167: As a user, I have proxy_password and proxy_username available on all remotes.MODIFIED

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by dkliban@redhat.com about 2 months ago

  • Triaged changed from No to Yes

Pulpcore cannot fix this issue, however, we will file a bug about the behavior with aiohttp.

#3 Updated by jsherril@redhat.com about 1 month ago

I feel like pulp should acutally be using a header to send Proxy Authentication: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization

#4 Updated by daviddavis about 1 month ago

  • Triaged changed from Yes to No

Untriaging so we can discuss ^ at our next triage.

#5 Updated by bmbouter about 1 month ago

It seems like aiohttp supports two styles when providing credentials for proxies:

  1. Specifying BasicAuth credentials (which I think will cause it to use the Proxy-Authorization header like you're saying)
  2. Specifying them in the proxy URL itself

Pulp's remotes only have proxy_url they don't have proxy_username and proxy_password. Having only proxy_url causes Pulp to accept its proxy auth in the url only which causes aiohttp to never use the header.

To use the header we would need to add proxy_username and proxy_password, which I'm ok to add, but that is what it would take I believe.

Still, users could not set those and still add the username and password to the proxy_url and it would still be logged in plaintext so that's a separate issue.

#6 Updated by bmbouter about 1 month ago

  • Related to Story #8167: As a user, I have proxy_password and proxy_username available on all remotes. added

#7 Updated by bmbouter about 1 month ago

This issue will serve to track the incorrect logging of credentials when the username and password is embedded in the proxy_url.

Users who want to workaround this issue by specifying the proxy_username and proxy_password outside of the url should use this pending feature: https://pulp.plan.io/issues/8167

#8 Updated by fao89 about 1 month ago

  • Triaged changed from No to Yes

Please register to edit this issue

Also available in: Atom PDF