OpenStack Heat

Password written in clear text in heat-api.log with DEBUG mode

  1. Series ocata
  2. Bug #1664792
Bug #1664792 reported by Tristan Cacqueray
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Heat
Fix Released
Medium
Rico Lin
OpenStack Heat pike-2
Mitaka
In Progress
Undecided
Crag Wolfe
Newton
In Progress
Undecided
Crag Wolfe
Ocata
In Progress
Undecided
Crag Wolfe
Pike
Fix Released
Medium
Rico Lin
OpenStack Heat pike-2

Bug Description

Reported by Hans Feldt, Ericsson

Affected code:

heat/common/serializers.py:
 31 class JSONResponseSerializer(object):
 32
 33 def to_json(self, data):
 34 def sanitizer(obj):
 35 if isinstance(obj, datetime.datetime):
 36 return obj.isoformat()
 37 return six.text_type(obj)
 38
 39 response = jsonutils.dumps(data, default=sanitizer)
 40 LOG.debug("JSON response : %s" % response) # <- HERE

See original description
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

While this is not a security vulnerability, masking sensitive data in log is a good to have security hardening measure.

Tristan Cacqueray (tristan-cacqueray)
description: updated
Rico Lin (rico-lin)
Changed in heat:
importance: Undecided → Medium
Rico Lin (rico-lin)
Changed in heat:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/434112

Changed in heat:
assignee: nobody → Rico Lin (rico-lin)
status: Confirmed → In Progress
Rico Lin (rico-lin)
Changed in heat:
milestone: none → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (master)

Reviewed: https://review.openstack.org/434112
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=1c32b85d54a07ce12cdf9b1703fb3e41657a683d
Submitter: Jenkins
Branch: master

commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/442652

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/442654

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to heat (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/442753

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/ocata)

Reviewed: https://review.openstack.org/442652
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=ae4fff5fa6ef1b6a51d2e45115dc24eff91ff458
Submitter: Jenkins
Branch: stable/ocata

commit ae4fff5fa6ef1b6a51d2e45115dc24eff91ff458
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/newton)

Reviewed: https://review.openstack.org/442654
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=3a08c6d2e2ca9d57bf3016b509ab1f18a78b6dd9
Submitter: Jenkins
Branch: stable/newton

commit 3a08c6d2e2ca9d57bf3016b509ab1f18a78b6dd9
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/mitaka)

Reviewed: https://review.openstack.org/442753
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=63b812365ba7a3c8979e279fe3a8b5a766a34e19
Submitter: Jenkins
Branch: stable/mitaka

commit 63b812365ba7a3c8979e279fe3a8b5a766a34e19
Author: ricolin <email address hidden>
Date: Wed Feb 15 15:04:27 2017 +0800

    Stop showing json deserialized message in log

    We stop showing json deserialized message in debug log, because
    message will involved with some private credential message (like
    password). Let's block it for now, until we get a better solution.
    Partial-Bug: #1664792

    Change-Id: I07410df56449c5414a5572d07507e17f5858c5c6
    (cherry picked from commit 1c32b85d54a07ce12cdf9b1703fb3e41657a683d)

tags: added: in-stable-mitaka
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.