Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenTracing spans reveal URL auth credentials #1459

Closed
atombender opened this issue Feb 5, 2021 · 7 comments
Closed

OpenTracing spans reveal URL auth credentials #1459

atombender opened this issue Feb 5, 2021 · 7 comments
Labels
bug
Milestone
7.0.31

Comments

@atombender
Copy link
Contributor

Which version of Elastic are you using?

[X] elastic.v7 (for Elasticsearch 7.x)
[ ] elastic.v6 (for Elasticsearch 6.x)
[ ] elastic.v5 (for Elasticsearch 5.x)
[ ] elastic.v3 (for Elasticsearch 2.x)
[ ] elastic.v2 (for Elasticsearch 1.x)

Please describe the expected behavior

We expected the spans reported to hide the user name and password.

Please describe the actual behavior

Full URL was exposed. Example from Jaeger UI (scrubbed):

Screen Shot 2021-02-05 at 08 55 09

Any steps to reproduce the behavior?

Set the client up with a URL with a user name and password.

I'll see about creating a PR for this.
@olivere olivere added the bug label Mar 24, 2021
@olivere olivere added this to the 7.x milestone Mar 24, 2021
@olivere
Copy link
Owner

olivere commented Mar 24, 2021

Oops. That's a bug for sure.

@olivere olivere modified the milestones: 7.x, 7.0.24 Mar 30, 2021
olivere added a commit that referenced this issue Apr 12, 2021
@olivere
Add test to make sure HTTP basic auth doesn't leak
180a7ca 
This commit improves the tests to make sure that HTTP basic auth
credentials don't leak into tracing data.

See #1459
@olivere
Copy link
Owner

olivere commented Apr 12, 2021

I improved tests in 180a7ca but cannot reproduce. Am I missing something?

@olivere olivere modified the milestones: 7.0.24, 7.0.25 Apr 12, 2021
@olivere olivere modified the milestones: 7.0.25, 7.0.26 Jun 16, 2021
@olivere olivere modified the milestones: 7.0.26, 7.0.27 Jul 8, 2021
@olivere olivere modified the milestones: 7.0.27, 7.0.28 Jul 30, 2021
@olivere olivere modified the milestones: 7.0.28, 7.0.29 Aug 30, 2021
dungnx pushed a commit to dungnx/elastic that referenced this issue Sep 16, 2021
@olivere @dungnx-teko
Add test to make sure HTTP basic auth doesn't leak
4eb8ef6 
This commit improves the tests to make sure that HTTP basic auth
credentials don't leak into tracing data.

See olivere#1459
@olivere olivere modified the milestones: 7.0.29, 7.0.30 Sep 16, 2021
Merged
@atombender
Copy link
Contributor Author

Great. Just to be clear, that logging goes to the OpenTracing span?

@olivere
Copy link
Owner

olivere commented Dec 17, 2021

Whoops. I'm sorry...

@olivere olivere reopened this Dec 17, 2021
@olivere olivere modified the milestones: 7.0.30, 7.0.31 Dec 17, 2021
@olivere
Copy link
Owner

olivere commented Dec 17, 2021

Have to double-check.

olivere added a commit that referenced this issue Jan 7, 2022
@olivere
Redact URL in opentracing transport
b130b33 
This commit hopefully, finally, fixes the credentials leakage described
in #1459.
@olivere
Copy link
Owner

olivere commented Jan 7, 2022

I'll give it another go in 7.0.31. It replaced the occurrence of req.URL.String() with req.URL.Redacted() which hopefully, finally, fixes this issue. Let me know if it still happens to be logged. I do not doubt it happens, but I'm still not sure how to reproduce it.

@olivere olivere closed this as completed Jan 7, 2022
@atombender
Copy link
Contributor Author

Thank you!

olivere added a commit that referenced this issue Jan 7, 2022
@olivere
Redact URL in opencensus tracing
65568e6 
This commit will also redact the URL to not expose credentials, similar
to #1459.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
7.0.31
Development

No branches or pull requests
2 participants
@atombender @olivere