JSONFormatter can log sensitive data
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.log |
Fix Released
|
High
|
Unassigned |
Bug Description
The JSONFormatter logs the args to the log statement and in some cases that "args" is a dict of values where only some of them are intended to be logged.
For example, take a look at this code in the oslo impl_rabbit.py[1]. It's logging useful information like the hostname, port, and transport, which are just a few fields in the connection.info() dict. The JSONFormatter goes ahead and logs the full args[2], which in this case contains the username and password which was never intended to be in the log.
I can see the benefit of logging the args as it could contain useful data, but I think that if some is that useful, it should have been in the log message in the first place.
This appears in the old nova.common.
[1] https:/
[2] https:/
Changed in oslo.log: | |
status: | New → Confirmed |
importance: | Undecided → High |
information type: | Private Security → Public Security |
I know we'd been trying to get away from this, but maybe we should pass the args param through mask_dict_password before logging it?
https:/ /github. com/openstack/ oslo.utils/ blob/da8d3c3bbc b640d91e2b01434 5387b532cc9978f /oslo_utils/ strutils. py#L340
That seems like the param where people are most likely to accidentally pass private data. The rest are more explicit, in general.
I guess the alternative is to treat this as user error and change oslo.messaging to pass only the fields it's actually logging. Or we could do both. Mask the passwords we can, but also change oslo.messaging to not pass the sensitive data in the first place. We could also add a strong warning to the oslo.log documentation that anything in the args structure may be exposed by some formatters.
That way we fix what we can in oslo.log but also establish a new best practice for logging parameters.
As this is a rather old security bug, I probably need to check with the VMT to see how to proceed. Once the patches are posted this will have to become public knowledge. Any input from the rest of oslo-coresec is also welcome.