[Spike] Sanitize environment in connect payload

kford-newrelic commented 2 months ago

Description

The java agent sends many environment settings when connecting to new relic, one of those is the JVM arguments.

It is not unusual for customers to include sensitive information there and we must avoid sending that over the network.

Acceptance Criteria

This is a research spike to analyze they payload sent and determine feasibility to detect any sensitive data and exclude it from the payload in some manner. This may include new relic secrets, like a license key, but also other secrets the client may pass as a jvm argument to their applications like credentials to access cloud services, DB credentials, etc.

After the completion of the spike, we'll want to discuss findings with the requesting org before proceeding.

Design Consideration/Limitations

Since it's likely to be difficult to reliably detect and remove only sensitive data, this has the potential of obscuring settings that are valuable for the customer to see, so this should be agent configurable (will need to determine whether to default on or off)
May want to consider either an allow or block list to be specified, to make it easier to leave common JVM parameters alone
Should discuss with other agent teams to determine whether an agent spec should be considered
This might obscure data that is helpful for support purposes; we'll want to understand that possible impact

Dependencies

The connect service team is taking a look at something similar, as a short-term implementation. We should sync up with them to understand where they are. JVM property key values by frequency, that may not contain sensitive values:

4017 -javaagent
2102 --add-opens
1674 -XX:+UseG1GC
1086 -XX:+HeapDumpOnOutOfMemoryError
 935 -Dnewrelic.config.app_name
 761 -Djava.security.egd
 698 -XX:+UseStringDeduplication
 698 -Dspring.profiles.active
 635 -Djava.io.tmpdir
 571 -Dnewrelic.environment
 564 -Dlog4j2.formatMsgNoLookups
 562 -XX:+PrintGCDetails
 507 -Dfile.encoding
 497 -Dnewrelic.config.license_key
 469 -Dcom.sun.management.jmxremote.ssl
 468 -XX:-OmitStackTraceInFastThrow
 467 -Dcom.sun.management.jmxremote.authenticate
 464 -XX:+UseConcMarkSweepGC
 462 -XX:+PrintGCDateStamps
 457 -Dcom.sun.management.jmxremote.port
 424 -XX:+ParallelRefProcEnabled
 407 -Dcom.sun.management.jmxremote
 399 -Dnewrelic.config.file
 355 -Djava.util.logging.manager
 353 -Dnewrelic.config.proxy_host
 350 -XX:+UseContainerSupport
 346 -Duser.timezone
 334 -Dnewrelic.config.proxy_port
 316 -XX:+ExitOnOutOfMemoryError
 308 -Dcatalina.base
 307 -Dcatalina.home
 300 -XX:+DisableExplicitGC

Examples where JVM parameters might contain sensitive values:

   2 -Damazon.secretKey
   2 -Damazon.accessKey
   2 -Dazure.keyvault.uri
   2 -Dazure.keyvault.tenant-id
   2 -Dazure.keyvault.client-id
   2 -D_FT_SECURITY_KEYSTORE_PASSWORD
   2 -DJDBC_DEVICEDB_USER
   2 -DJDBC_DEVICEDB_PASSWORD
   2 -DJDBC_DEVICEDB_CONNECTION_STR
   1 -Dspring.activemq.user
   1 -Dspring.activemq.password
   1 -Dspring.activemq.broker-url

Additional context

Original work request - NR-295685

workato-integration[bot] commented 2 months ago

https://new-relic.atlassian.net/browse/NR-309169

kanderson250 commented 1 week ago

Closing this spike. Work to be completed in issue #2110

newrelic / newrelic-java-agent