VIVO-1995: Log file logs all runtime properties, including sensitive ones

[chenejac]

Michel Héon (Migrated from VIVO-1995) said:

Should consider either not logging the runtime properties, or selectively including only those deemed to be of low risk.

[chenejac]

Michel Héon said:

When Tomcat starts, a series of log files (~tomcat/log/*) are generated. The first line of the vivo.log file (see below) contains a lot of information, especially several information coming from runtime.properties. The information presented includes passwords (e.g. VIVO root passwd or ORCID" passwd IDs or databases). The presentation of these passwords is a security violation that exposes passwords, especially of the ROOT user but probably also of the current users of VIVO

 

2021-06-02 07:02:08,581 INFO  [ConfigurationProperties] ConfigurationPropertiesImpl[propertyMap={RDFService.languageFilter=false, Vitro.defaultNamespace=http://localhost:8080/vivo/individual/, Vitro.reconcile.defaultTypeList=http://vivoweb.org/ontology/core#Role, core:Role; http://vivoweb.org/ontology/core#AcademicDegree, core:Academic Degree; http://purl.org/NET/c4dm/event.owl#Event, event:Event; http://vivoweb.org/ontology/core#Location, core:Location; http://xmlns.com/foaf/0.1/Organization, foaf:Organization; http://xmlns.com/foaf/0.1/Person, foaf:Person; http://purl.obolibrary.org/obo/IAO_0000030, obo:IAO_0000030, VitroConnection.DataSource.dbtype=MySQL, VitroConnection.DataSource.driver=com.mysql.jdbc.Driver, VitroConnection.DataSource.password=PASSWORD, VitroConnection.DataSource.pool.maxActive=40, VitroConnection.DataSource.pool.maxIdle=10, VitroConnection.DataSource.url=jdbc:mysql://localhost/vitrodb, VitroConnection.DataSource.username=vivo, VitroConnection.DataSource.validationQuery=SELECT 1, argon2.memory=1024, argon2.parallelism=1, argon2.time=1000, http.createCacheHeaders=true, orcid.api=sandbox, orcid.apiVersion=2.0, orcid.clientId=APP-MWPTQ7Z850AY2GCH, orcid.clientPassword=PASSWORD, orcid.externalIdCommonName=Universit� du Qu�bec � Montr�al, orcid.webappBaseUrl=http://locahost:8080/vivo/, proxy.eligibleTypeList=http://xmlns.com/foaf/0.1/Person, http://xmlns.com/foaf/0.1/Organization, rootUser.emailAddress=vivo@uqam.ca, rootUser.password=PASSWORD, rootUser.passwordChangeRequired=false, rp.multiple=config, selfEditing.idMatchingProperty=http://localhost:8080/ns#networkId, visualization.temporal=enabled, vitro.home=/home/heon/01-SPRINT/2021-05-17-SPRINT-06/UQAM-DEV/vivo-home/home, vitro.local.solr.url=http://localhost:8983/solr/vivocore}]

 

[chenejac]

Benjamin Gross said:

Perhaps an acceptable solution is changing the default log level there to debug? [https://github.com/vivo-project/Vitro/blob/rel-1.12.0-RC/api/src/main/java/edu/cornell/mannlib/vitro/webapp/config/ConfigurationProperties.java#L112]

I wonder if the config properties in the bean will ever not exactly reflect what is in runtime.properties? If not, there doesn't seem to be a need for the config to be printed to a log.

Side note, the root password is only the initial root password, which will be changed after the first login. Previously this was hard-coded to be 'rootPassword' but the ability to set the initial password in runtime.properties was recently added, as you know. No other user account passwords will be included. 

[chenejac]

Brian Lowe said:

PR for logging at DEBUG level: https://github.com/vivo-project/Vitro/pull/237

[chenejac]

Brian Lowe said:

Resolved in commit https://github.com/vivo-project/Vitro/commit/1d89cbc9085c0126ae3f16815283a2f7f9d63fa1