Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask secrets in CommandInvokedEvent and Command logger #25307

Merged
merged 3 commits into from
Jan 15, 2025
Merged

Mask secrets in CommandInvokedEvent and Command logger #25307

merged 3 commits into from
Jan 15, 2025

Conversation

OndroMih
Copy link
Contributor

@OndroMih OndroMih commented Jan 5, 2025

This fixes a security issue in the Command Logger feature, which allowed to expose passwords used in some admin commands. This fix replaces passwords in the logged messages by "******".

pzygielo
pzygielo reviewed Jan 5, 2025
View reviewed changes
nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/admin/CommandRunnerImpl.java Outdated
subject);
eventService.getCommandInvokedTopic()
.publish(event);
}

private ParameterMap maskSecretParameters(ParameterMap parameters) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be static and have unit test?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I will add this specific case into the CommandLoggerTest tests.

pzygielo
pzygielo reviewed Jan 5, 2025
View reviewed changes
nucleus/core/kernel/src/main/java/com/sun/enterprise/v3/admin/CommandRunnerImpl.java Outdated
@@ -1642,12 +1643,22 @@ public void executeFromCheckpoint(JobManager.Checkpoint checkpoint, boolean reve
private void publishCommandInvokedEvent(ExecutionContext invocation, Subject subject) {
final CommandInvokedEvent event = new CommandInvokedEvent(
invocation.name(),
invocation.parameters(),
maskSecretParameters(invocation.parameters()),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current failures suggest (to me), that invocation.parameters() can be null.

@OndroMih
Mask secrets - tests, refactoring, null check
5678411 
Extracted ExecutionContext inner class to package-private class CommandRunnerExecutionContext. Was too big and deserved a file on its own.
Moved mask method to ParameterMap and added unit tests.
@OndroMih
Mask secrets - fix for Java 11, another test
4367847 
A test to verfiy that the command logger doesn't log passwords
@OndroMih OndroMih requested review from pzygielo and hs536 January 10, 2025 12:35
hs536
hs536 approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@hs536 hs536 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hs536 hs536 added the security fix The change (component upgrade or gf code) concerns a CVE label Jan 15, 2025
@OndroMih OndroMih merged commit 2f694fa into eclipse-ee4j:master Jan 15, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hs536 hs536 hs536 approved these changes

@pzygielo pzygielo Awaiting requested review from pzygielo

Assignees
No one assigned
Labels
security fix The change (component upgrade or gf code) concerns a CVE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@OndroMih @pzygielo @hs536