Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MonitoringEngine.kt leaks passwords #36

Open
colinleroy opened this issue Dec 16, 2022 · 2 comments
Open

MonitoringEngine.kt leaks passwords #36

colinleroy opened this issue Dec 16, 2022 · 2 comments

Comments

@colinleroy
Copy link
Contributor

Describe the bug
The logging of Kafka Configs / Components configs leaks passwords.

To Reproduce
Steps to reproduce the behavior:
configure something like

kafka.sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
  username="monitoring" \
  password="very-secret-password";
kafka.ssl.truststore.password=another-password

kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=another-password, security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="very-secret-password";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}

Expected behavior
kafka-consumer-lag-monitoring logs Kafka Configs as

Kafka Configs: {ssl.truststore.password=[REDACTED], security.protocol=SASL_SSL, ssl.endpoint.identification.algorithm=, ssl.truststore.location=/etc/ssl/certs/java/cacerts, bootstrap.servers=..., sasl.mechanism=PLAIN, sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="monitor" password="[REDACTED]";, client.id=kafka-lag-exporter, ssl.truststore.type=PKCS12}
omarsmak pushed a commit that referenced this issue Jan 20, 2023
* Avoid leaking passwords to logs

* Forgot ssl.keystore.certificate.chain

ssl.keystore.certificate.chain is also a password (a
private certificate) according to:
https://docs.confluent.io/platform/current/installation/configuration/admin-configs.html

Co-authored-by: Colin Leroy-Mira <[email protected]>
@ghost
Copy link

ghost commented Feb 20, 2023

@omarsmak Are there any plans for a new release containing this fix?

@omarsmak
Copy link
Owner

@jeromewaibel I am trying to release. However I am having issues with both nexus and travis (credit ran out, requested credit). If is critical, you may need to build it locally https://github.com/omarsmak/kafka-consumer-lag-monitoring/tree/0.1.3 . Sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants