Glance Client

glanceclient leaks X-Auth-Token into debug log

Bug #2051712 reported by Jonathan Rosser
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
Undecided
Unassigned

Bug Description

While debugging the magnum service I saw this in the magnum-api service log:

2024-01-30 10:17:29.636860+00:00 magnum-api.service 2024-01-30 10:17:29.636 132227 DEBUG glanceclient.common.http [None req-8deace0b-6a46-4f3b-b8fa-b540584fee96 - - - - - -] curl -g -i -X GET -H 'b'Content-Type': b'application/octet-stream'' -H 'b'X-Auth-Token': b'gAAAAABluMyyB-cdC8boko9GhQFDGs1CPHXstZoM2fdTCxI9oa0IjbJ_wX4ldXRBM9SutOUXvHnKOcQOo_w_XtL7Lnna2TQC2hvZOPcfI79SFNTfIazei0Dj-lVgIQkkE3OMu1zwCXKY3MgCcwGjz4rH0BcKXAQgPI11DjwtTz3TJF4YE43lIFI'' -H 'User-Agent: python-glanceclient' -H 'Accept-Encoding: gzip, deflate' -H 'Accept: */*' -H 'Connection: keep-alive' http://172.29.236.101:9292/v2/images?name=fedora-coreos-latest&limit=200 log_curl_request /openstack/venvs/magnum-28.1.0.dev31/lib/python3.10/site-packages/glanceclient/common/http.py:219

X-Auth-Token is unredacted, I would expect it to be converted to a hash here https://opendev.org/openstack/python-glanceclient/src/branch/stable/2023.2/glanceclient/common/http.py#L200 but that is not happening.

Tags: security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-glanceclient (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/python-glanceclient/+/914555

Changed in python-glanceclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.opendev.org/c/openstack/python-glanceclient/+/914555
Committed: https://opendev.org/openstack/python-glanceclient/commit/28497adc33eadc53da9013ca9b805ead07619732
Submitter: "Zuul (22348)"
Branch: master

commit 28497adc33eadc53da9013ca9b805ead07619732
Author: Cyril Roelandt <email address hidden>
Date: Wed Mar 27 19:37:25 2024 +0100

    Do not leak X-Auth-Token when logging curl requests

    We pass *encoded* headers to log_curl_request, but then compare them to
    *unencoded* sensitive headers that must be redacted (basically comparing
    bytes to strings). This means no header is ever redacted.

    Store sensitive headers as bytes rather than strings to fix this issue.

    Change-Id: I06785704750e8c4b23d1276514949655e6dcb7ab
    Closes-Bug: #2051712

Changed in python-glanceclient:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-glanceclient 4.6.0

This issue was fixed in the openstack/python-glanceclient 4.6.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.