Sensitive information of jobVo.getResult() may leak - Githubissues

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform

https://cloudstack.apache.org/

Apache License 2.0

1.91k stars 1.08k forks source link

Sensitive information of jobVo.getResult() may leak #8874

Open YLChen-007 opened 3 months ago

YLChen-007 commented 3 months ago

ISSUE TYPE

Bug Report

COMPONENT NAME

Cloud-Server

CLOUDSTACK VERSION

commit ID: 45d267ccbf2749c547cbbbac4a2cb1f3351dcaf2 on main branch.

SUMMARY

Sensitive information of jobVo.getResult() may log out at "s_logger.debug("New job " + workJob.getId() + ", result field: " + jobVo.getResult());"

Detail

Following the link, we know resultObject is sensitive data, which may contain passwords.

https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L261

Then the resultObject flows to field of jon in follow code . https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/framework/jobs/src/main/java/org/apache/cloudstack/framework/jobs/impl/AsyncJobManagerImpl.java#L288

So I guess the job.result may contain sensitive data, which cannot be log out. But in follow code, job.result is printed. https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/VolumeApiServiceImpl.java#L3422

DaanHoogland commented 3 months ago

@1561316811 , these logs are done explicitely to help operators trouble shoot their environment. Can you explain why this is a problem?

DaanHoogland commented 1 month ago

@YLChen-007 , A job without password (obfuscated) is logged. I don't understand the problem you are seeing. Can you explain?