Password written in clear text in heat-api.log with DEBUG mode

Bug #1664792 reported by Tristan Cacqueray on 2017-02-15
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Rico Lin
Mitaka
In Progress
Undecided
Crag Wolfe
Newton
In Progress
Undecided
Crag Wolfe
Ocata
In Progress
Undecided
Crag Wolfe
Pike
Fix Released
Medium
Rico Lin

Bug Description

Reported by Hans Feldt, Ericsson

Affected code:

heat/common/serializers.py:
 31 class JSONResponseSerializer(object):
 32
 33 def to_json(self, data):
 34 def sanitizer(obj):
 35 if isinstance(obj, datetime.datetime):
 36 return obj.isoformat()
 37 return six.text_type(obj)
 38
 39 response = jsonutils.dumps(data, default=sanitizer)
 40 LOG.debug("JSON response : %s" % response) # <- HERE

While this is not a security vulnerability, masking sensitive data in log is a good to have security hardening measure.

description: updated
Rico Lin (rico-lin) on 2017-02-15
Changed in heat:
importance: Undecided → Medium
Rico Lin (rico-lin) on 2017-02-15
Changed in heat:
status: New → Confirmed

Fix proposed to branch: master
Review: https://review.openstack.org/434112

Changed in heat:
assignee: nobody → Rico Lin (rico-lin)
status: Confirmed → In Progress
Rico Lin (rico-lin) on 2017-02-24
Changed in heat:
milestone: none → pike-1

Reviewed: https://review.openstack.org/434112
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=1c32b85d54a07ce12cdf9b1703fb3e41657a683d
Submitter: Jenkins
Branch: master

commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6

Reviewed: https://review.openstack.org/442652
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=ae4fff5fa6ef1b6a51d2e45115dc24eff91ff458
Submitter: Jenkins
Branch: stable/ocata

commit ae4fff5fa6ef1b6a51d2e45115dc24eff91ff458
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-ocata

Reviewed: https://review.openstack.org/442654
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=3a08c6d2e2ca9d57bf3016b509ab1f18a78b6dd9
Submitter: Jenkins
Branch: stable/newton

commit 3a08c6d2e2ca9d57bf3016b509ab1f18a78b6dd9
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-newton

Reviewed: https://review.openstack.org/442753
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=63b812365ba7a3c8979e279fe3a8b5a766a34e19
Submitter: Jenkins
Branch: stable/mitaka

commit 63b812365ba7a3c8979e279fe3a8b5a766a34e19
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-mitaka
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers