Closed DaScheid closed 8 months ago
When the database connection to the job-repository cannot be established (using the JdbcRepository), then an exception is thrown: https://github.com/jberet/jsr352/blob/87dd8202797e628a4a3bc5b468b1a8ae1c1e9698/jberet-core/src/main/java/org/jberet/repository/JdbcRepository.java#L1115 The exception message is constructed using the 'dbProperties': https://github.com/jberet/jsr352/blob/87dd8202797e628a4a3bc5b468b1a8ae1c1e9698/jberet-core/src/main/java/org/jberet/_private/BatchMessages.java#L103 The 'dbProperties' might contain username and password for the database-connection. So if this exception is logged, the resulting log might looks like this: "JBERET000622 Failed to obtain connection from <jdbc-url>, {password=<password_in_plain_text>, user=<username_in_plain_text>}"
"JBERET000622 Failed to obtain connection from <jdbc-url>, {password=<password_in_plain_text>, user=<username_in_plain_text>}"
Therefore, database-credentails might be logged unobfuscated as plain text to the console and are visible for everyone that has access to it - which might be a security risk.
When the database connection to the job-repository cannot be established (using the JdbcRepository), then an exception is thrown: https://github.com/jberet/jsr352/blob/87dd8202797e628a4a3bc5b468b1a8ae1c1e9698/jberet-core/src/main/java/org/jberet/repository/JdbcRepository.java#L1115 The exception message is constructed using the 'dbProperties': https://github.com/jberet/jsr352/blob/87dd8202797e628a4a3bc5b468b1a8ae1c1e9698/jberet-core/src/main/java/org/jberet/_private/BatchMessages.java#L103 The 'dbProperties' might contain username and password for the database-connection. So if this exception is logged, the resulting log might looks like this:
"JBERET000622 Failed to obtain connection from <jdbc-url>, {password=<password_in_plain_text>, user=<username_in_plain_text>}"Therefore, database-credentails might be logged unobfuscated as plain text to the console and are visible for everyone that has access to it - which might be a security risk.