speckyspooky
commented
1 month ago This is not a BIRT-issue by default because you have extracted all details externally. So you created an external XML-file with the configuration details. You have hand written the reading of the config-xml and the XML-parsing. As last step you set the config-properies and try to start the connection which crash.
But the problem is in my point of view not BIRT by default. The question is which data will arrive the beforeOpen.
And will be set the correct values to the connection.
The message of "MY_SECRET_USER" is a default error message from birt this is right but means not that the value has really quotes on it.
Your error dump means that there is an error on the getConnection based on the JDBC-driver and the error means the cause of it could be the user name "MY_SECRET_USER", but it could be another value which causes trouble because it seems that you have multiple problems according to the message.
And here only like an example, I have done today some testing and my NPE got the same message with quotes to, only as a string for compare the message has nothing to do with your case:
alex-axiobit
When reading database connection details with beforeOpen function on tomcat 9 on linux birt runtime seems to read the values incorrectly. On windows works fine.
Its surrounding the parameters that it reads with the following string:
"leading to values like"mySecretPassword"I am reading database connection details with the beforeOpen function and because the connection is unsuccessful it throws multiple errors. Also, it dumps the entire error in the http response revealing possible sensitive information...
This seem to be a vulnerability.
error.dump.txt env.txt beforeOpen.txt